[TriLUG] IP Address spoofing

Igor Partola igor at igorpartola.com
Wed Jan 25 08:09:06 EST 2012


Morning TriLUG!

Due to a variety of reasons I have a need to spoof IP addresses of UDP
packets over a hosting provider's network (SoftLayer). The main use case is
that a hostname is being moved from one box to another, but the UDP traffic
still needs to end up on the original server and the original server needs
to be able to talk to the IP:port that sent to original packet back.

Having done the fun part of writing a packet sniffer and spoofer, I am no
running into some interesting issues. First a little about the setup. Let's
say I have boxes Alpha and Beta and the domain name example.com, which used
to be on Alpha but is now moving to Beta. The ifconfig on Alpha looks like
so:

eth1      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          inet addr:174.36.X.X  Bcast:174.36.Z.Z  Mask:255.255.255.248
          ...

eth1:1    Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          inet addr:174.36.Y.Y  Bcast:174.36.255.255  Mask:255.255.255.255
          ...

The service that listens to the UDP packets normally runs on 174.36.Y.Y. I
set up my sniffer/spoofer to forward packets from Beta:main IP =>
174.36.Y.Y, but no traffic comes through (according to tcpdump). However,
if I set it up as Beta:main IP => 174.36.X.X, it works like a charm. Of
course if I disable the spoofing and just forward the packets either
address works.

My question is, why would spoofing the IP address work on the "real" eth
interface, but not on the virtual one?

Thanks in advance!
Igor



More information about the TriLUG mailing list