Is it possible to fake IP addresses in bulletin board postings?

[subversplat]

Eh?

If you put a false address on your internet envelopes then you won't ever get any replies. Internet connections rely on lots of confirmations going backwards and forwards so it would be counter productive to make false declarations of your address.

 

[Crispy]

Eh?

not important. it's hard to fool the postman, but if you can intercept the mail before it's in the postbox, the postman will never know.


EDIT: real-world mail analogies for the win

 

[Donna Ferentes]

If you put a false address on your internet envelopes then you won't ever get any replies. Internet connections rely on lots of confirmations going backwards and forwards so it would be counter productive to make false declarations of your address.

I wonder if you may not be missing the point here...

 

[hiccup]

Mike MI5 whatshis name? He was off the scale weird.

Yeah, that's him. Proper barmy, like.

/derail

 

[Donna Ferentes]

usenet is not like u75, with a centralised server and database. usenet is decentralised and multiple databases are on multiple servers around the world. They all talk to each other to keep their databases up-to-date with each other.

Ah, now this is what I don't understand - why that matters and what difference it would make.

 

[subversplat]

I wonder if you may not be missing the point here...

Mmm, no I know what I'm trying to say, but to not fill it with technojargon is difficult

Ah, now this is what I don't understand - why that matters and what difference it would make.

Having lots of servers sharing their bit of data means that they all have to trust what the others are saying to a certain point, so if one can be compromised to provide false information, then the others would believe that false information with very little quibble.

 

[Radar]

Eh?

Sorry Donna, i thought I'd pitched that ok.

To put it another way, If you lie about who you are nobody can visit you. This is because when they look up your name in the phone book to find your house address, they only have the false name to go on.

or something like that.

I'll shut up now, I'm shit at analogies.

 

[Crispy]

Ah, now this is what I don't understand - why that matters and what difference it would make.

It means that there is no central 'boss man' who can go into the database and fidle with it, post-hoc. There are multiple usenet servers all over the world, and one anomolous record will be overruled by all the other servers who disagree with the altered record.

BUT if you can put the fake information on the original message, before you send it, then the servers can't tell the difference. This is how it seems to me, but there may be deeper forensics you can do to tell that the original message was faked.

 

[Donna Ferentes]

To put it another way, If you lie about who you are nobody can visit you. This is because when they look up your name in the phone book to find your house address, they only have the false name to go on.

Ah yes, but the point is that people aren't faking their own addresses. The allegation is that people may be faking other people's addresses.

 

[newbie]

and it is possible to amend the records subsequent to the posting of messages, provided there is an admin function to make this possible? (I'm still unclear as to whether the records of postings would be unique to one place.)

I don't believe this is possible on Usenet. Once a message is posted to a server it is propogated to other servers across the world, thousands or millions of them, each with its own records. It's true that many do not retain posts forever, a week or a month is common, but I don't think Google is the only permanent repository.

BBS systems, lioke U75, are very different in that respect.


edit thread moves too fast for newbie shocker

 

[Donna Ferentes]

It means that there is no central 'boss man' who can go into the database and fidle with it, post-hoc. There are multiple usenet servers all over the world, and one anomolous record will be overruled by all the other servers who disagree with the altered record.

BUT if you can put the fake information on the original message, before you send it, then the servers can't tell the difference. This is how it seems to me, but there may be deeper forensics you can do to tell that the original message was faked.

Ah, excellent. If that's accurate then that tells me a lot.

 

[Crispy]

Ah yes, but the point is that people aren't faking their own addresses. The allegation is that people may be faking other people's addresses.

That is the process which looks doable on usenet.

 

[Crispy]

I'd love to tell you where the real usenet geeks hang out so you could ask them for the detailed explanation, but I have no idea where that is.

 

[subversplat]

I'd love to tell you where the real usenet geeks hang out so you could ask them for the detailed explanation, but I have no idea where that is.

They probably hang out on usenet.

 

[newbie]

try news.admin.net-abuse.usenet

 

[Radar]

Ah yes, but the point is that people aren't faking their own addresses. The allegation is that people may be faking other people's addresses.

The stuff about IP address spoofing isn't strictly relevant to usenet post forging, but it may have been used in addition.

Forging usenet posts is very similar to pissing around with emails, both systems keep a record of what servers a message has passed through in the headers of the message itself.

Normally if you include bogus information like who its from in an email, it's pretty obvious what has happened. eg You have an email claiming to be from the pres of the USA. It contains a line "from:[email protected]" which sounds believable, but if you look at the message headers you see it originated from a dial-up AOL account, which is unlikely to say the least.

In a nutshell, that's one sort of discrepency you use to detect forged emails. Usenet has its own message and header formats and I'm not well up on them.

 

[stdPikachu]

Faking an IP address would be possible

If you spoof the IP address header in the IP packets, isn't the sender going to send all the "yes, I got that packet, send me another" responses to the wrong IP address?

If you want IP anonnymity, use an anonymous proxy, a service like TOR or piggy back some randoms unencrypted wireless connection. Much easier than actually spoofing traffic. Replacing the IP address in the actual database itself would be pretty easy assuming you could cover your tracks well enough - if you use summat like MySQL it's a simple matter of issuing it a command like "update post_ips_tbl set src_ip='123.123.123.123' where src_ip='111.222.11.22'; and you're done.

 

[Radar]

Well after all of us trying to help, I suspect poor old Donna is bleeding from the eyeballs from information overload

 

[Crispy]

If you spoof the IP address header in the IP packets, isn't the sender going to send all the "yes, I got that packet, send me another" responses to the wrong IP address?

If you want IP anonnymity, use an anonymous proxy, a service like TOR or piggy back some randoms unencrypted wireless connection. Much easier than actually spoofing traffic. Replacing the IP address in the actual database itself would be pretty easy assuming you could cover your tracks well enough - if you use summat like MySQL it's a simple matter of issuing it a command like "update post_ips_tbl set src_ip='123.123.123.123' where src_ip='111.222.11.22'; and you're done.

Interesting stuff, but not relevant to the OP

Just so donna doesn't get confused by that

 

[Sunray]

As well as egress filtering, the lack of a return route for your spoofed address would also bite you on the ass. If your upstream wasn't filtering, you'd be able to send traffic out with the spoofed source address, but the return traffic would be headed god knows where.

So in the case of a bbs, you'd never be able to get the original http connection open.

Of course, so unless you have a cable from your machine plugged into the other machine or can intercept the comms at a point you can intercept the return packets, your screwed.

 

[Addy]

Sometimes, a poster's attempt to obfuscate their IP address on here can give the game away quicker than they'd like.

I dunno mate.
You accused me a while ago of causing some shit as you said it was my IP that gave the game away and I had feck all to do with, or even knew what you were refering to.


Appologies for skim reading, but post 28 covered most of it.
In answer to the Chess libriariman, if you know how to spoof packets then you can get away with a lot and be undetectable (to most people).

Leeching off someone elses WIFI for the wrong purpose is a more worrying scenario.

 

[Donna Ferentes]

What's "packets"?

 

[Crispy]

It's what your internet traffic is divided up into.

In the postal analogy, imagine dividing a book into its seperate pages, then mailing them individually. The recipient then opens all the mail and uses the page numbers to reassemble the book. Each packet has a Return Address and a Destination Address.

 

[Donna Ferentes]

In the postal analogy, imagine dividing a book into its seperate pages, then mailing them individually.

Actually our local postal service normally does that anyway.

 

[Signal 11]

The evidence summarised here and detailed on this thread is pretty convincing. There is no way you could fake that by "spoofing" the IP address. The only way you could do it is by having remote control of the accused's computer, e.g. by having a trojan installed on it. That's not impossible but it's very unlikely if it's been going on for 18 months, during which time someone with control of his machine could have done far worse to him e.g. by forging posts/mail from his own account.

 

[Radar]

Of course, so unless you have a cable from your machine plugged into the other machine or can intercept the comms at a point you can intercept the return packets, your screwed.

From a pov of bringing up a spoofed connection, yep!

If the default route back from the far end pushed the return traffic onto a network on which you could fuck around with their interior routing then that could work too. The chances of that are extremely slim, unless you know someone working at the ISP in question. It would be a major fuckup to allow any customer's routing protocols to a) even reach the ISP's network and b) to be honoured and generate routing table entries on the ISP's kit, but if they did you'd just inject a bogus route for the spoofed address pointing back at yourself.

 

[Ned Pointsman]

If you were REALLY that bothered there are ways involving layer two attacks that I can think of, you'd be more 'stealing' the ip address than spoofing it though.

Lot of work just for some chess business however.

 

[Boris Sprinkler]

Rootkit on the accused's PC would be the most obvious scenerio.