In a perfect word I would agree, but it seems that at least some ISPs don't follow these best practices. Many of my routers show ACL-hits like the following:

 10 deny ip 0.0.0.0 0.255.255.255 any
 20 deny ip 10.0.0.0 0.255.255.255 any (259 matches)
 30 deny ip 127.0.0.0 0.255.255.255 any
 40 deny ip 169.254.0.0 0.0.255.255 any
 50 deny ip 172.16.0.0 0.15.255.255 any (39 matches)
 60 deny ip 192.0.2.0 0.0.0.255 any
 70 deny ip 192.168.0.0 0.0.255.255 any (1484 matches)
 80 deny ip 198.18.0.0 0.1.255.255 any (1 match)
 90 deny ip 198.51.100.0 0.0.0.255 any
 100 deny ip 203.0.113.0 0.0.0.255 any
 110 deny ip 224.0.0.0 31.255.255.255 any

I'm pretty confident that these are not attacks that involve address-spoofing. That are just misconfigured NATs somewhere on the internet combined with the providers without proper ingress filtering.

Back to original topic. There are two reasons that addresses are spoofed:

1. The attacker wants to look like an authorized source to start some activity on the destination system. I would consider this problem solved as at least on the internet it is very hard to achieve. But on the local LAN it is much easier.
2. The attacker tries to hide his activity as it's done in an (D)DOS attack. Here it is quite common to spoof the source addresses and recent activities show that it's still easy to achieve that. BCP38 is one of the documents that more ISPs have to read ...

Dear All,

As per my Understanding any attacker from outside world cant change their source ip to Private ip address as it is not routable.. Hence they will find out any NATed server in any organization and will assign that NAT Public ip as Source and will try to do Dos attack and Spoof.. Please correct me if i am right... I am thinking from Attacker's point of view. Im sure that most of the firewalls will block such traffic by ip verify urf and antispoofing in ASA and checkpoint respectively.

regards

Rajesh P

"Not routable" means that a private IP as the destination address will never find the way to the right destination. To make it more difficult, this is not true for the ISP that connects your network. That ISP always can route a private ip-range to your network.

For private IPs as the source address, countermeasures like URPF are available. But these have to be configured as they are not default on all devices. And reality shows that it's not always the case.

I still wonder how ISP will send a packet when its source ip is Private

(That ISP always can route a private ip-range to your network)

To travel thru internet your ip should be public right

im concerned about only source ip.

Without any special countermeasures, a routing device will not even look at the source address and it doesn't matter if it's a private IP, the right public IP or an IP that is assigned to someone else. The router just won't care about it.

An user or attacker when it has to reach a destination server, will always have public ip as source (either by modem or router or firewall will do nat) and destination as public.

As per my knowledge if any of these fields are Private, then it will never reach the destination.

If any source ip is private and it reaches the public without nat, then what is the use of PAT/Hide NAT concepts ?

More over as you said, ISP will look into only destination and not the source address to pass the traffic to internet, then you are indirectly saying that ISP is going to do a NAT on the source ip. ? If its going to do a NAT, then again the source ip will be changed to another public ip and Spoofing attack needs the same ip address to be shown as a Servers address (either public or private), then only after reaching the firewall it will detect as a spoofed ip address and will block it if configure properly. Else the firewall will send sync ack to the Server thinking that this is the server who has sent a syn request and finally land up in DOS attack

Sorry to say that i am still not clear on what you have said earlier.

Agreed for the point that Return traffic is not sent Unless NAT. So Spoof is possible

Thanks :) a lot

Is there any tool available which can convert my ip to private while sending packet out. kali linux ?