Internaut: HSD should fix a big weakness -- spoofing

Shawn P. McCarthy

As the Homeland Security Department starts collecting data about infrastructure vulnerabilities, I hope it will focus on one of the most obvious: hackers' ability to cover their tracks by spoofing IP addresses.

In the interest of protecting national infrastructures, HSD recently asked high-tech and telecommunications companies to keep the government in the loop about glitches in their Internet, telecom and other services. The department has proposed regulations for sharing and protecting such information, at Comments will be accepted until June 16.

The proposal is controversial because most companies won't discuss their vulnerabilities. They fear such info might find its way to competitors, the media or thieves. Also, they're uncertain whether government-collected data could be shielded from Freedom of Information Act requests.

Beyond the political issues, there's plenty of reason to get cracking on some already well-known infrastructure problems.

The Internet was designed so that a packet dropped anywhere can still be routed to its destination as long as the packet holds the correct destination data. The Net trustingly assumes that the 'from' data is correct. As we now know, that's a bad assumption.

But fixing it means overhauling the Internet Protocol, which isn't going to happen overnight. In fact, that's been under way for a decade.

Most Net traffic still uses IP Version 4, which is more than 20 years old. Besides its security issues, it's running short of IP address space.

IP Version 6 solves the address problem and fixes some but not all spoofing problems via encryption and authentication. More information appears at

If the Homeland Security folks want to make the Internet infrastructure more secure, focusing on the future of IP is a good place to start.

In the meantime, egress filtering can help. That simply means not passing along a packet that cannot be verified as authentic. Setting up subnetworks of trusted Internet providers that do egress filtering is one way to reduce spoofing, though we'd never be able to trust the whole Net.

Managers looking for other solutions can study antihacker Steve Gibson's RSVP Agent. It's in a new version of his Shields Up site, which upon request will probe a visitor's PC for vulnerabilities. See

To ensure that the site connects to the PC from which the request supposedly originated, Gibson establishes a secure temporary connection before trading information or services.

It would be interesting to apply this idea to government servers as yet another defense against spoofing. Learn more about RSVP Agent at

Shawn P. McCarthy designed products for a Web search engine provider. E-mail him at [email protected].

About the Author

Shawn McCarthy, a former writer for GCN, is senior analyst and program manager for government IT opportunities at IDC.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected