23

Think about the following:
Your ISP offers you a dynamic ip-address (for example 123.123.123.123).

My question is simple (the answer may not be):

Is it possible to send a single udp-packet with an outer source-ip (for example 124.124.124.124) to a fixed-ip server? I don't need to get an answer from the server. I just want to know if/how this one way communication can be done, using a faked source-ip address.

The server and no one else should not be able to find out the real client ip.

Alexis Wilke
  • 19,179
  • 10
  • 84
  • 156
raisyn
  • 4,514
  • 9
  • 36
  • 55

4 Answers4

16

The UDP packet does not actually have the source (your) IP address. The source IP address is part of the packet it is sent in. So you would have to modify the packet it is enclosed in. So while it is non-trivial, it is possible. The packet structure for UDP, and the enclosing packets for reference.

Alexis Wilke
  • 19,179
  • 10
  • 84
  • 156
Jacob Schoen
  • 14,034
  • 15
  • 82
  • 102
  • So I need to set up the hole ipv4 packet (containing the faked ip) and send it to server? – raisyn Mar 22 '10 at 15:41
  • That is correct. Essentially you create a fake packet containing the UDP info, and send that. May I ask why you are trying to do this? – Jacob Schoen Mar 22 '10 at 16:14
  • If I'm able to set up a prototype that can perfom the task, I may write a security application as my final year project which allows multiple clients to exchange data over the internet, without someone else knowing that there is a connection between the partners. Do you have any suggestion how to implement sending of the fake packet? – raisyn Mar 22 '10 at 16:47
  • Honestly, I am not sure how do this, and only knew about this because I am taking a Network Security class at the moment. Maybe make another SO question about that, and you might get some suggestions from others. – Jacob Schoen Mar 22 '10 at 17:17
  • Thanks a lot! Can you please explain what a SO question is? – raisyn Mar 22 '10 at 17:24
  • oh thx! see: http://stackoverflow.com/questions/2494489/how-to-send-raw-data-over-a-network – raisyn Mar 22 '10 at 18:12
  • Be careful, the UDP header does contain the IP address ! Just read a bit more in the article you provide : http://en.wikipedia.org/wiki/User_Datagram_Protocol#Checksum_computation – Jules Olléon Apr 11 '10 at 15:21
  • I found a way to send the manipulated packet (checked with wireshark)... but I assume the ISP drops it... because it cannot be received – raisyn Jul 15 '10 at 21:26
  • @raisyn why is it that it cannot be received? How does an ISP detect it to be suspicious? – Alex Apr 01 '14 at 06:54
  • 2
    @Alex, your ISP happens to know your IP address? If they filter UDP packets, then they can very easily make sure it comes from you and drop anything else. – Alexis Wilke Dec 06 '16 at 20:19
12

This is IP-spoofing. Unless you ISP is a dodgy russian one, it will probably prevent you from doing that (the first router will just drop the packet because it is suspicious).

If you don't want to be identified you should try to find a proxy supporting UDP...

Or you can buy a botnet. :)

(if you didn't get it, that's a joke, don't do that)

Jules Olléon
  • 6,733
  • 6
  • 37
  • 47
  • 5
    Funny. The reason I came to this question is because I am trying to prove to a major ISP in a western country that they're actually not packet filtering at all, and they don't believe me. – tudor -Reinstate Monica- Mar 09 '16 at 04:45
  • 1
    Here's [another question](http://security.stackexchange.com/questions/100903/is-ip-spoofing-still-a-threat-in-the-internet) with a link to [current spoofability trends](https://spoofer.caida.org/summary.php). Turns out more than 10% of ... something is spoofable! – Josiah Yoder Sep 08 '16 at 19:15
  • @Jules, you know there are loads of russians here on SE? – Pacerier Oct 23 '17 at 19:01
  • @tu-ReinstateMonica-dorduh four years later and i'm interested if you ever found out if there weren't in fact filtering? :D – dwb Jul 21 '20 at 21:01
3

If you're ISP employs Egress filtering and they don't control the address block that 124.124.124.124 is on, then no.

If they do control it and expect that to be a valid IP leaving their site, possibly. They might tie IPs to MAC addresses and block this. Maybe not.

You could change the IP of your pc to that address and just use a program to send a udp packet. There's no such thing as a "fake IP". They all in the end do exist. They are either legitimately assigned or not.

Finally I would not suggest taking this action.

Sebastian
  • 368
  • 1
  • 12
jouell
  • 3,288
  • 1
  • 18
  • 15
0

You will need to have access your ISP Router in order to do that. If you send a raw UDP-Packet with all the information to the other server, the Router will encapsulate it in another Package with your real ip.

jpabluz
  • 1,200
  • 6
  • 16
  • so you think it is not possible? – raisyn Mar 22 '10 at 15:30
  • as @jschoen says, it is not trivial, and it is probably against your ISP's Terms of Service. – jpabluz Mar 22 '10 at 15:41
  • Do you have any idea how to send a enclosed packet (like jschoen says) using C# or C/C++? – raisyn Mar 22 '10 at 16:00
  • I have no idea, but would look first in documentation from a Network Driver, and see if that is possible in your ethernet card... but still I think that encapsulation takes place on the Router, which your network card connects to, so there will be trouble in trying to send a packet without your real-IP information to be sent. – jpabluz Mar 22 '10 at 17:48
  • 8
    A router simply forwards the packets it receives. It may (depending on configuration) discard a packet having an obviously fake source, but as a rule routers do not change the source address. NAT gateways and transparent proxies would. But only a VPN endpoint would actually encapsulate the packet further. – Ben Voigt Mar 22 '10 at 18:15
  • @BenVoigt How is an obvious fake source determined? – Alex Apr 01 '14 at 06:57
  • 1
    @Alex: [Reverse path filtering](http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.kernel.rpf.html) – Ben Voigt Apr 01 '14 at 07:04