[lug] how to track forged packets in a virus spoof

[Nate Duehr]

D. Stimits wrote:

> I'm running into a case of this new sobig.f virus not only forging 
> headers, but also forging the dotted decimal IP address. I verified this 
> with a DoD facility responsible for the dotted decimal IP address of 
> origination that is showing up on all these virus notices that occur 
> when virus scanners send out reject notices. After talking to their guy 
> there I am convinced this virus is going well beyond normal means, that 
> actual packet mucking has gone on here to disguise its origins. Is there 
> any way to track something that is both header forged and packet forged?
> 
> D. Stimits, stimits AT comcast DOT net

Not easily.

Any ISP who is allowing packets OUTBOUND from their network that are in 
ranges they don't own should be tarred and feathered.  :-)

Oops... did I say that?  Sorry...

Seriously though... ISP's should all have egress filters to stop IP 
spoofing stuff.  Some don't.

Having those ISP's around is like having the bad neighbors with twelve 
dead cars on the lawn on cinder blocks, and the grass that's six feet high.

But... asking someone to regulate that is like asking for the evil 
homeowner's association do-gooders, with nothing better to do than 
measure your grass with a micrometer every day, to come take over your 
neighborhood.

Neither is a good proposition... so we'll hang out here in the middle.  ;-)

-- 
Nate Duehr, nate at natetech.com

"A mind is like a parachute--you should open it only in certain
very specific life-threatening situations." - Frank Willison