Now, the easiest way to check if you can send packets to the Internet with a fake source IP address would be with two computers (in different ASs), but that's no fun, is it? :)
Basically, the idea is you can know from a DNS caching server if you are the first client getting the reply to some query by either
- asking it about a domain for which it would have to recurse, while forbidding recursion: if you get a positive reply this means somebody else asked the same question before you
- comparing maximum Time-To-Live value for the test domain with the TTL value you received in the reply: if different, this too means somebody else asked the same question before you
The only problem is making sure no network equipment enforced a real source IP address on the packets... Some ISPs might simply rewrite the source IP address (instead of just dropping the packet, which most of them do) : this is easy to detect because you would get replies to both the "fake" and real queries. NAT routers are more annoying: mine accepts the fake public IP address as source to the packets, stores it in its table, forwards the packets with its real IP address, and when the replies arrive... doesn't know whom to send the packets to, other than to the DMZ (which is noticeable because it starts sending ARP requests for it)... Stupid, stupid NAT router!
Anyway, here's the code.
New versions of Scapy introduced a syntax error apparently: one has to change "from scapy import *" to "from scapy.all import *"
ReplyDeleteThanks to Archangel Amael from the Backtrack Forums for reporting the problem and providing a solution in his blog: http://archangelamael.blogspot.com/2010/06/bug-and-fix-in-isppy-in-bt4.html