From: Mike N. 

On Wed, 5 Apr 2006 06:20:33 -0400, "Geo"  wrote:

>OIC, the packet would have a source address of x.x.x.x but the data part
>would have 192.168.254.x so it would appear spoofed, and if the internal
>subnet is real IP addresses but natted then there is no way to tell a false
>positive.

   Thinking it through further, on the NAT case, we can detect a false
test.   The odd NAT translates the spoofed address to a WAN address before
sending it out.   So we'd see the packet come in with the real IP address.


>>    The relatively easy case is ActiveX, but this would cover only Windows
>> and IE.
>
>I think that would cover at least 90% of the people browsing to the site so
>plenty good enough for a start. What about the fact that W2K has raw sockets
>but XP doesn't, does that present any problems?

  I think XP still has some remaining spoof capability.   I forget the
details now, but we should be able to find some spoofable protocol.

   Thinking further, I think it may be possible to coax some sort of ICMP
packet from certain devices that will have the natted private IP address as
an ICMP source address.   In cases where it comes through, they aren't
using BCP38.   I've seen many of these on the network being blocked, but
never investigated in detail how they were created.

--- BBBS/NT v4.01 Flag-5