Spoofaudit: Spoofingrules Auditing Tool

This network auditing tool will help you to determine what basic spoofing filters are pressent between two testpoints on two networks, and what anti spoofing filters are missing. They tools are designed to work between endpoints that would not normaly have any filtering between them exept for anti-spoofing filters.

I have also written an article about the importance of anti-spoofing measures for the general security on the internet.

In order to determine the spoofing filtering setup of a network three types of spoofed adresses are needed, and two test directions, this will give an almost complete picture of the spoofing filters pressent, although for some spoofing filters the location may not be completely clear by a single measurement, and a 3th point may be needed in order to find the location of the filters.

Basicaly there are 3 kinds of adresses that could be used in spoofing:
The toolkit exists of two litle cute perl scripts that are to be run on two different testpoint machines on the two networks. The scripts both require the Net::RawIP perl module that can be found on cpan, and both need to run as root. Please note that no security review has yet been done on the code in its current alpha state (and I don't know if i'll have the time to do it), so be carefull where you run it, and dont keep the server running.
The server is started without any parameters.
The client needs three parameters in order to make a complete audit: No adress outside these networks is needed as the adress of the DNS A rootserver is used for this as a unlikely ip adress to be on either of the two networks.

Download Version 0.1.3

Acceptable Usage

This tool is intended to serve as a way to help make networks saver, if you find out with this tool that a certain network provider is not implementing crucial spoofing filters as described in RFC 2827 and RFC 3013 you should notify the responsible system administration of this flaw. In this way you are helping to make the internet a safer place. IP FS spoofing is a major factor in some of the current DDOS methodoligies, so by helping to bring back spoofing possibilities you are not only helping to make the internet safer, but also to give the internet a higher availability.
By using this software you are agreeing to share the result of the audit with the administrator of the flawed network for all the missing FS and TS anti-spoofing filters you discover.

Rob J Meijer 11/2000