Spoofaudit: Spoofingrules Auditing Tool
This network auditing tool will help you to determine what basic spoofing filters are pressent between
two testpoints on two networks, and what anti spoofing filters are missing. They tools are designed to
work between endpoints that would not normaly have any filtering between them exept for anti-spoofing
I have also written an article about the
importance of anti-spoofing measures for the general security on the
In order to determine the spoofing filtering setup of a network three types of spoofed adresses are needed,
and two test directions, this will give an almost complete picture of the spoofing filters pressent,
although for some spoofing filters the location may not be completely clear by a single measurement, and
a 3th point may be needed in order to find the location of the filters.
Basicaly there are 3 kinds of adresses that could be used in spoofing:
- Adresses that fall within the network of the target (TS), these should be filtered by the border routers
of the target, any normal network operator will have these filters in place, any network without these
Egress filters mostly falls into the category of MCSE administered networks.
- Adresses that fall outside of both networks (FS). These should be filtered by the border router of the
source network. Any admin with some sense will install these Ingress filters,
unfortunately it seems that some ISP's don't do this.
If an ISP does implement TS filters but no FS filters, mostly these are
the type of ISP's that have a admin crue that has likes
to be able to spoof itself, you should probably have some second thougths if you want to be on a network
that is either run by a bunch of hackers.
These filters are the
filters that are the most crucial for the overall security of the
- Adresses that fall within the network of the spoofer (LS), these could be filtered in terminal servers of
the source network. There seems to be only a hand full of ISP's that still use this, looks like that is
what you get from letting the telco's run this end of the network. The risk of not having these filters
is fairly limmited, but if you have a choice go for a network that does have these filters if you can
The toolkit exists of two litle cute perl scripts that are to be run on two different testpoint machines
on the two networks. The scripts both require the Net::RawIP
perl module that can be found on cpan, and
both need to run as root. Please note that no security review has yet been done on the code in its
current alpha state (and I don't know if i'll have the time to do it), so be carefull where you run it,
and dont keep the server running.
The server is started without any parameters.
The client needs three parameters in order to make a complete audit:
No adress outside these networks is needed as the adress of the DNS A
rootserver is used for this as a unlikely ip adress to be on either of
the two networks.
- The IP adress of the server
- A ip adress on the clients network that it can use to see if it can spoof this.
- A ip adress on the servers network that it can use to see if it can spoof this.
Download Version 0.1.3
This tool is intended to serve as a way to help make networks saver, if
you find out with this tool that a certain network provider is not
implementing crucial spoofing filters as described in RFC 2827 and
RFC 3013 you should
notify the responsible system administration of this flaw.
In this way you are helping to make the internet a safer place. IP FS
spoofing is a major factor in some of the current DDOS methodoligies, so by helping to bring
back spoofing possibilities you are not only helping to make the internet
safer, but also to give the internet a higher availability.
By using this software you are agreeing to share the result of the audit
with the administrator of the flawed network for all the missing FS and TS
anti-spoofing filters you discover.
Rob J Meijer 11/2000