Rob Lemos reports on the following presentation at Blackhat by Mark Loveless of Bindview; I've got some comments. ----------------- PROGRAM WOULD HIDE NET COMMUNICATIONS CNET reports about a program called NCovert, which uses spoofing techniques to hide the source of communications and the data that travels over the network. The technique makes it almost impossible to track where the original message came from, because the data holds only the addresses of the recipient and the third-party server. http://news.com.com/2100-1002-5058535.html -------------------------------- The technique works by hiding four bytes of data in the TCP header's ISN field, bouncing packets off one or more innocent third-party machines, setting your destination IP address to the third-party and forging your recipient's IP as the source, so the recipient appears connection accepts or rejects from real, fake, or random locations, and the real message is hidden in the header fields. The connection type can be something credible like email or http. Of course, there _are_ ISPs that do spoof-proofing, so if your ISP does this, you won't be able to forge the recipient's address on your outgoing packets usefully. Spoof-proofing usually limits you to addresses in the subnet used by your internet connection - if you've got a /24, you can impersonate one of 254 locations near yours, but if anybody's seriously trying to track you, you're busted. There's also the problem that, unless it's sending call setups that the recipient is rejecting, there'll be a lot of half-open TCP connections on the recipients, which is a DOS problem. It's cute, though. Also, Bindview's security tools site does have an interesting spoofing-detection program that works by looking at TTL values for packets you receive that are suspected of being spoofed - it traces a connection to/from the purported source IP address and sees whether the time-to-live field on the suspicious packet is close enough to one from the real route to be believable or declares it to be bogus if it's too far off.