On Mon, 1 May 2006 12:50:04 -0700, "radish" <[EMAIL PROTECTED]> said: > > peter Wrote: > > IP > > filters are impenetrable without attackers having cracked his (or her) > > ISP first and then it's not just you who's in trouble. > > Could you explain this? I've seen you state it a few times in other > threads, and I'm not sure I believe it. I'm not a security expert, but > I play one on the weekends. > > For those who are interested, this page : > http://www.securityfocus.com/infocus/1674 gives a nice overview of IP > spoofing. Having some form of "control" of any specific ISP or network > is certainly not a pre-requisite.
In practice all ISP routers have (or should very much have) ingres/egress filtering. This means that incoming packets with an inside source address and outgoing packets with an inside source address are blocked omn the routers. This makes spoofing very hard on the attacker, because the attacker should be able to transmit packets with a source address outside of his own range (that's the point). So to be able to send IP packet with a forged source address is already quite hard. If you manage to do this anyway, you are able to send spoofed IP packets, spoofed UDP packets to your victim. Just don't expect a reply, because the reply packets will be returned to the spoofed address over which you have no control unless you are able to reprogram the routers on the way which is about as hard as getting on the ISP's 'lan'. It is possible to use spoofed UDP packets to attack (trigger a buffer overflow) because the UDP packets are passed on by the TCP stack to the server software. A malformed UDP packet with a spoofed IP address could be used to attack a DNS server via a buffer overflow. As I see it, in the case of a connection oriented protocol like TCP (which is what we're talking about here) it is impossible to gain access to the application (slimserver) by just sending packets and ignoring the replies. For the TCP connection to work the handshake must be completed. AFAIK there's no way around this. Session hijacking as described in the article is only possible when you're on the same subnet or somewhere in the data path. Spoofed TCP setup packets are very popular in DOS attacks of course, but they work without replies. Then if (and I don't think that's possible) you get access to slimserver, you'd have to be able to gain access to the system beyond slimserver. This is usually done through buffer overflows, which, in the case of a Perl application are rather unlikely IMO. Perl (as a language) has dynamic memory allocation, so there'd have to be a bug in the Perl runtime itself. It's possible I guess... And of course, we'd need a hacker. One that not only knows you're running slimserver but also knows on what port (ok, he could just try all of them) and what IP addresses you have given access. And he'd need a motive. > What I would agree with, however, is that IP spoofing is hard, and to > be quite honest the risk of someone taking the trouble to attack your > slimserver is pretty remote. I'd still use a tunnel though, as I don't > find them hard to setup and it's better to be safe than sorry. I'd like to hear how a spoofing attack against a filtered router TCP port could work, if you know of a way. If you do, I'll be glad to open up a port on my router, supply you with all the necessary info and wait for you to take over control of my living room Squeezebox. I'll give a Squeezebox to the first person who manages to do that ;) Regards, Peter _______________________________________________ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
