$Id: README 587 2009-05-03 20:11:49Z rbeverly $

IP Spoofing Tester v0.8 (http://spoofer.csail.mit.edu)
-------------------------------------------
1. About the Project

The MIT ANA Spoofer project measures the Internet's susceptibility to
spoofed source address IP packets.  Malicious users capitalize on the
ability to "spoof" source IP addresses for anonymity, indirection,
targeted attacks and security circumvention.  Compromised hosts on
networks that permit IP spoofing enable a wide variety of attacks.  

We measure various source address types (invalid, valid, private),
granularity (can you spoof your neighbor's IP address?), and location
(which providers are employing source address validation?)  Our
research is particularly relevant given the regular appearance of new
spoofed-source-based exploits, despite decades of filtering effort.


2. Running / Building

  a. On Windows and Mac OSX, please download and run the installer.

  b. On *unix systems, uncompress and untar with:
      $ gzip -dc spoofer-xxx-0.8.tar | tar -xvf -
     You must run the spoofer as root (in order to create 
     the raw socket) with no arguments, e.g.
       # ./spoofer
     For IPv6 support, you must use a patched version of
     libnet (included: libnet-1.1.3-RC-01-ipv6.diff).

  c. Alternatively, download and build from source.  Untar the
     source tarball, run "./configure" to configure and then "make"
     to build the tester binary.


3. How it works

The spoofer program attempts to send a series of spoofed UDP packets
to servers distributed throughout the world.  These packets are
designed to test:

  - Different classes of spoofed traffic including bogons, 
    RFC1918 and valid sources
  - Ability to spoof neighboring, adjacent addresses
  - Where along the path filtering is employed
  - Presence of a NAT device along the path


4. Background / Does Spoofing Matter?

In a word, yes.  While botnets, NATs and existing source address
validation efforts have changed the security landscape, IP spoofing
remains a serious concern.  New spoofing-based attacks regularly
appear (most recently against the DNS infrastructure) despite decades
of previous exploits and prevention/tracing attempts.  Please see our
web site for FAQs, papers, and more information that addresses many of
these common questions:
   http://spoofer.csail.mit.edu/faq.php


5. Frequency of testing

The server which the spoofer client interacts with only permits up to
three sessions within the last seven days from any single client.  We
limit the number of tests to prevent abuse on our servers and remote
networks.  However, periodically running our client, even from the
same point in the network, gives us additional data.  For instance, we
are very interested in how ISP policies change over time.  If you wish
to setup the spoofer client as a cron job, please schedule it to run
monthly.


6. Feedback

Written by Rob Beverly <rbeverly at csail/mit/edu>.  Feedback, flames and
bugfixes welcome.

