Debunking Mr Geoffrey Pereira’s claims on ‘IP spoofing’ – the technical aspects
November 6th, 2009 | 
Author: EDITORS’ NOTE: The below article was posted by a reader to show why it is impossible for IP spoofing to be used to “grab” content from our site in this instance.
[Read our latest rebuttal to Mr Geoffrey Pereira's second article on 13 November 2009 here]
Now lets down to the technicalities involved and examine the evidence before us:
TR Claims that:
1. TR’s server logs indicated that an IP address from SPH was grabbing or reading (NOT attacking) contents from the site on the material time and date stated in the initial article.
2. The ’source IP address’ inside the packets was reverse traced back to one that belongs to SPH and verified with http://whois.domaintools.com/203.116.231.234
SPH’s Defense:
1. IP spoofing is a common tactic used in a DOS attack and in this case, the IP alleging to be from SPH is spoofed.
Without considering which idiot in the world would want to spoof ONLY ONE IP address to grab TR’s site and incriminate SPH, let’s get down to the technical aspects of IP spoofing.
IP spoofing in this instance is technically OUT OF THE QUESTION and NOT APPLICABLE. Reason being:
a. The history of the “HTML GET messages” reveal that website contents are being retrieved in sequential and structured fashion consistent with the websites’ site map.
Basically, it means that the source computer knows which information to retrieve next, hence, it is aware of the URL links inside the TR web pages, and therefore receives the information direct from the TR website.
In IP spoofing, the attacker does not receive information from the attacked website because all ’source IP addresses’ have been spoofed.
b. From information gathered from the hosting provider, their hardware firewall uses Reactive Address Blocking. RAB allows the firewall to track an address as it traverses the network and subsequently associate that address across any number of violations.
One of the most useful functions of RAB is that it allows for monitoring of sanity violations, which is when an IP address breaks a strict conformity standard such as trying to spoof an IP address or modify packet flags. This makes sure that all packets coming from or going through the network conform to strict TCP/IP standards.
Additionally, the firewall is enabled with SynCookie support which plainly put, the server will send out a ’syn-cookie’ when the syn backlog for a socket becomes overflowed, as in the case of a sudden surge in traffic and multiple simultaneous connects. The cookie is used to interrupt the flow of sync transmissions with a hashed sequence number that must be correlated with the sending host (source computer). If the sending host does not validate against the hash then the tcp hand-shake is terminated.
In short, any spoofed packets will be dropped and terminated since a spoofed packet would not be able to validate the hash. So the IP addresses you alleged to be spoofed would be long terminated BEFORE it even reaches the server, no possibility of it being logged by the server.
2. Neither did anyone in SPH try to “grab” TR material in a way that would load its server; nor did any SPH staffer launch any attack on the server.
Having dispel the suggestion that the IP was spoofed, the fashion by which contents are being accessed is consistent with search robots or a web grabber – ie – a website is archived so that a string search can be made. While this is perfectly legal, some software uses multiple sockets when downloading content, and CAN potentially hog resources from the web server and slow other user’s access.
It WILL HOG the server’s resources but in this incident, it didn’t because the software firewall on the server itself banned the offending IP address minutes into the action after the IP address exceeded 60 connects per minute, the threshold set by the system administrator.
Technically, if the server were to be not protected by firewall and had been configured poorly, a multiple of requests in excess of 60 connects per minute WOULD HAVE brought the server down and that would technically be classified as an attack.
Bottomline is, SPH will have to come up with a better explanation than a blanket denial to pin the blame on spoofed IP.
Posted in 
yawn. you TR folks are just so jumpy. Between TR and SPH, it seems like TR is so high-strung…
First, what is TR’s accusations about SPH? What exactly is TR insinuating about SPH? Publishing articles that have a title with DDOS and SPH in the same breadth seems like an assertion towards SPH of the same, or just a sly means of trying to entrap SPH. yawn, to all the TR attempts to take evasive action in avoiding a claim of DDOS by SPH. That, and the mention of the Computer Misuse act.
Come clean, if TR is making an assertion about SPH, be clear what it is. Is TR stating that there a DDOS attack by SPH, that took down the server or slowed it down? TR better have the data on this. If SPH is really using a spider to archive TR materials, so what? If the point is that bandwidth is being hogged by SPH, then TR had better make its claims clear and specific. I see no reason why SPH should spend much resources tracking any additional information, unless TR is clear in what its complaint is. Why should SPH bear any brunt of effort in investigating, when TR’s complaint is not at all clear? If TR’s complaint is merely that SPH reads TR, so what? Or even if SPH has a spider than reads the TR site, so what? Get real, and focus on the complaint and the implications. Otherwise, TR had better just suck it up, get the advertising revenue up, and get better hardware/bandwidth in place.
At the very least, TR is milking this well for its own benefit and agenda.
Please post the logs so that we can see the timestamps and user agents.
I think I read somewhere else that the rate of requests was about 100 per minute. If so, I disagree that those requests “WOULD HAVE brought the server down and that would technically be classified as an attack”. 100 per minute is simply not that high that you should be so certain that it would overwhelm the typical webserver.
Well, well. The fact that Geoffrey Pereira is not a techie has worked against him; I have little doubt that he is lying.
Let’s set aside the doubts about IP spoofing and the hit rates for the time being. There is other damning evidence.
I understand that TR uses Apache, so the HTTP header called User-Agent for each request is logged by default (check e.g. /var/log/httpd/access_log). If Pereira and his colleagues were just casually browsing TR as he claimed, the User-Agents which were logged would consist of normal browsers like IE, Firefox, etc. There should be no spiders and other creepy crawlies.
It will be easy to confirm if Pereira is lying. In fact, one may even identify the type of spider that SPH uses, being armed with a more complete list of User-Agents found at
http://www.user-agents.org/ .
Admin, you wants us (the reader) to draw some sort of conclusion based on your claims and partial logs with no date/time stamp. Well, I give you my own conclusion:
a. your article has misled a number users (base on some of the users’ comments) that SPH is performing a DOS.
b. you are wasting our time here. Surely you can settle such incident directly with SPH. May be you have other aganda (if yes, care to explain?)
c. you should spent more time and effort reviewing your systems and network. A good point to start with, is to understand the challenge of the Internet world (if you can’t even handle web grabbing, let alone DOS or worst DDOS).
d. you said that your firewall has help to mitigate SPH web grabbing which might have caused impact to your server and that web grabbing is legal. So what is really the issue here?
@ ALL, My understanding is this:
No allegations were made to SPH having attacked TR by any means.
TR made a statement that SPH is grabbing TR’s entire site and is asking WHY? PERIOD.
@orange, since I have already replied to your other post on the same topic, I won’t repeat myself here. The fact remains that (since you insisted no date/time stamp), at a certain date and time, someone or something using SPH IP grabbed TR’s contents.
Lets leave the date and time out of our discussion, then would you agree that an IP address purporting to be from SPH DID at some date and some time grabbed TR’s contents?
The time and date is not a factor to the claims issued by TR. The act itself of grabbing is, it can be last year, can be 10 years ago, it doesn’t matter.
So please stop playing like a old broken record and insist on date and time, its totally irrelevant.
@Steve Wu, you are correct to say that. TR is using apache and the access is logged with more information than released, including the USER AGENT of course.
SPH is a corporate GIANT and I doubt the admins at TR, being graduates themselves will be so stupid to ‘take’ SPH and their panel of experts on without SOLID PROOF backed by their hosts and DC.
The reason why TR is not releasing the relevant server log and firewall log is I believe, because TR wanted merely to know WHY SPH was doing that and give SPH a chance to explain themselves and come clean and be ’steady’ about it. There is nothing legally illegal about what that someone or something at SPH did.
TR, by releasing the relevant log prematurely IF coupled with a written statement from their Data Centre and/or host would tentamount to calling SPH a liar straight in their face, since they have OPENLY DENIED TR’s claims.
You said: It will be easy to confirm if Pereira is lying. In fact, one may even identify the type of spider that SPH uses.
True indeed and the log certainly DID NOT show RedNano or BlackNano, not even browser of sort. Guess what the user agent was?
Oh by the way, TR uses cPanel, so the apache logs would be located at /usr/local/apache/logs. 
Anyway, knowing how the system works, SPH will die die NOT ADMIT and will continue to die die DENY. I for once, is eager to see what response (if any) does SPH have to the latest article, more wayangs? More spins?
In my opinion, TR have already build up a prima facie case against SPH since the snapshot clearly shows that SPH did infact grabbed TR’s site (which was the gist of TR’s claim). As long as there was such an incident, WHAT, WHO or WHEN is of no relevance.
TO AVOID DOUBT, MAYBE SPH COULD INSTRUCT THEIR EMPLOYEES NOT TO VISIT TR SITE FROM THEIR WORKPLACE henceforth.
I am not remotely a techkie. Just passing by and 1 cent of opinion to close this chapter
Sinkapore aka XisdTay,
The earlier TR article said that it was due to SPH’s grabbing that cause TR to be down for 8 hours. That meaning SPH’s action had caused TR services to be down. In other word, SPH had caused TR services to be denied to the public. Right?
Anyway, no point making noise and clarifying here. Since TR had also surfaced the computer misuse act. Why not just report to the police? Let them investigate, I’m sure the findings will be acceptable to all especially the readers. Unless all these noise is just another wayang again?
“SPH’s Defense:
1. IP spoofing is a common tactic used in a DOS attack and in this case, the IP alleging to be from SPH is spoofed.”
While something may be done in 2 ways or more, does it necessarily have to mean that the DOS was not coming from SPH?
To illustrate my question:
A person can get infection due to 2 reasons or more, 1 being from kissing while 2 being from needles.
Does this necessarily mean, the infection is due to Only kissin?
Sinkapore wrote: “In my opinion, TR have already build up a case against SPH since the snapshot clearly shows that SPH did infact grabbed TR’s site. As long as there was such an incident, WHAT, WHO or WHEN is irrelevant to TR’s claims.”
I totally disagree with the statement above. When TR first post the article, I believe it mentioned about the incident happenning within a period of time. How can you say that the date/time of occurrence is irrelevant?
TR, if your objective is just to know why SPH is web grabbing your website, I guess you are really wasting all our time here.
Just my speculation – could this one Geoffrey Pereira be the one responsible for the DDOS attack on TR? Therefore SPH has gotten him to write the article instead of responding directly in order to distance themselves?
@ nutty, the time and date have been provided in the article although I still think that it is irrelevant to the claims by TR. As long as an IP address from SPH did grabbed TR’s site, then they, ie: TR have a cause to ask WHY.
I would want to know WHY someone would be grabbing my ENTIRE SITE although the articles is meant for Public Viewing, wouldn’t you?
@WatchSG, NO, TR never claimed that SPH caused their server to go down for 8 hours. The article merely mentioned that their servers were down for 8 hours and proceeded to define what is DDoS.
The link to the article is here: http://www.temasekreview.com/2009/11/02/sph-and-recent-ddos-attack-on-temasek-review/
You suggested that TR make a police report so that the matter can be investigated. Legalities aside, you got to be joking when you expect us, the readers to believe that the police will ACTUALLY INVESTIGATE SPH? We weren’t born yesterday!
Besides, the act itself is perfectly legal unless it was done with malicious intent (how to prove intent?).
@McNair Orly, true but there is NO CREDIBLE EVIDENCE that DDoS originated from SPH. Even if it did, SPH would most probably die die deny or push the blame to a compromised workistation.
Again the issue of ‘malicious intent’ comes into play and EVEN IF the DDoS was from SPH, a compromised workstation would at most result in a ‘warning’ from the ISP, certainly not taken to task under the CMA.
SPH will NEVER apologise or come clean, we have seen their attitude from the ISD Yoong fiasco.
@Googler, its anyone’s guess.
Comforting for TR readers to know the truth.
Dear Sinkapore,
I am not an advocate of web grabber but there are many reasons why web content grabber software exist in the first place. So is TR going to post the IP of the user who does web grabbing of your entire site every time you detects one and demand for an explanation? I think there are better way of handling this.
Hello nutty, if it had been anybody else, the firewall would have taken care fo the issue with no bells ringing.
In this case, it was SPH, the media corporate GIANT with tons of journalists, tons of articles, tons of cash, tons of ….
Think ………..
@Realistic, it is easier for the admins of TR to ban SPH’s range of IP addresses from its server but they are unwilling to do so since all legit and genuine readers are welcome.
Banning and sweeping the matter under the carpet is never a viable solution, coming clean is.
As a Temasek Review customer, I hope TR editors and writers can do readers a basic professional courtesy of proof reading their articles for English mistakes before posting it online.
If TR aims to be taken seriously as an credible online news portal, it must eradicate its grammar and spelling mistakes .
Typos in this article include ” Now lets down to the technicalities…” and “Bottomline is, SPH will have to come up with a better explaination ”
Another one I spotted in the previous Geoffrey Pereira’s article written by a TR editor was ” Now before we BEGAN…”.
Hi English writer, the above article is not written by TR staff, but contributed by a reader. We will make the necessary corrections.
admin,
your dateline at the beginning states “November 6, 2009 by admin”
Who is admin? one of the readers?
why not just indicate the user’s handle then? avoid the ambiguity.
Hi forget it,
The message was originally posted as a comment in another thread here:
http://www.temasekreview.com/2009/11/06/a-rebuttal-to-sphs/comment-page-2/#comment-39622
The admin cut, paste and reproduce it as another article on its own because it felt it will help to explain the technical aspects of IP spoofing which we are not familiar with.
Hope that clarifies.
So, there is no such word as ‘technicalities’?
I am having a lot of problems accessing the site via Starhub without a proxy despite using OpenDNS. The website loading is very slow is this a sign of open sabotage? I would email TR for more details.
Seems like there are some supporter of the establishment trying very hard to defend the establishment.
To dogbert & nutty -> everyone is entitled to say his/her part. TR is being very open and is posting all evidences and technical information to prove TR’s point. The fact is SPH is avoiding rebuttal. So, why aren’t you guys/gals at SPH’s throat? Because you guys/gals are just their agents? Come clean, please.
To watcher -> TR is open, but not clear at all in its case, or complete in its evidence. I have no reason to be at SPH’s throat, or at TR’s – I use both as channels for information, albeit TR as an alternate opinion, rather than for comprehensive breadth. SPH & TR play in different spaces to a news consumer like me. Starting with personal attacks to impute ill motives to someone who disagrees with you is merely the sign of immaturity in cyberspace.
What is TR’s case and agenda? To illustrate that SPH users have accessed TR’s site? SPH has added facts to that – 25 pax. To get a remedy for TR downtime on the basis that SPH contributed to it? Not clear at all what TR downtime was – the log as released in no way demonstrates that anyone caused downtime – was it 100 requests in 1 min / 1 s that caused TR’s site to go down? Or was it 2000 or 20000? If anything, provision of such data will give readers a sense of the scale, rather than the ticky-tacky i said, you said, he did, i did, type of conversation going on. And even if there was 20000 requests from SPH (can’t imagine how many articles there are at TR), were there 80000 other requests? What’s the distribution of requests? Give us some stats to assess the credibility of TR’s assertions. Besides, even if SPH has a corporate policy of getting records of various web-sources, and has TR on its list, this seems to be perfectly legal (as far as i understand computer usage) and morally acceptable except when damage is caused. After all, i could imagine Google or yahoo or any other range of web spiders accessing TR’s website regularly to archive/update copies in their cache. What’s the big deal about SPH, or MDA, or MHA, or any other group, that TR’s management is highlighting this (and wasting our attention)? TR needs to be specific on what damage was caused, and on the strength of the causal relationship and involvement of SPH.
Dragging this complaint out suggests that TR isn’t truly interested in gaining a remedy for its supposed loss. Or that it has an agenda to pursue (understandable as an alternative voice against the incumbent). Or that TR’s data is insufficiently credible. Or that it is milking the issue. As a reader interested in news and issues, this is getting to be old pat. I want real economy issues on jobs, housing, poverty, life in Singapore, rather than ticky-tack IT matters for the next week running. Get real issues in front on citizens and ministers to contemplate and solve. Getting offtrack on this represents a potential danger for TR and its readership.
@dogbert.
It was a simple issue initially which would not have dragged to this extent if SPH had come clean and just admit that someone or something was indeed grabbing or ripping TR’s site.
TR is not claiming damages, not looking at taking this action any further than just a simple clarification.
Instead of just admitting that, a journalist from SPH twisted TR’s words and accused TR of lying and making false allegations.
Under the circumstances, TR has no choice but to retaliate and debunk the allegations. Can’t blame them.