On the contrary, something over 90% (and it could easily be over 99%...) of routers never even look at SOURCE addresses. (Luckily, it only takes ONE that does, on the path between the attacker and you, to block this.) Making a TCP connection with a spoofed source address is hard anyway, and with the loopback address spoofed it's impossible. But TCP is not the only choice; UDP doesn't need or expect a return connection, and sometimes a single packet is all you need. (The Slammer worm used a single UDP packet. It didn't bother to spoof the source, but if it had it would still have been effective.)
David Gillett > -----Original Message----- > From: chris [mailto:[EMAIL PROTECTED] > Sent: July 27, 2003 11:39 > To: [EMAIL PROTECTED] > Subject: Re: Trusting localhost? > > > In-Reply-To: <[EMAIL PROTECTED]> > > Well IP spoofing is still very very effective. But the > chances of someone from the internet spoofing a 127.0.0.1 > source address in a packet and that packet actually making > it to you is HIGHLY unlikely. Any correctly configured > router should drop this packet because of its source address. > Someone from inside the LAN might be able to exploit it > somehow/someway but the chances are extremely low. There > should be no real reason to goto great lengths to ensure the > validity of the packets as the chances of someone spoofing > with this source address and actually exploiting your > application are like i said really low. --chris > http://elusive.filetap.com >Received: (qmail 20693 invoked > from network); 25 Jul 2003 15:27:22 -0000 >Received: from > outgoing2.securityfocus.com (205.206.231.26) > by > mail.securityfocus.com with SMTP; 25 Jul 2003 15:27:22 -0000 > >Received: from lists.securityfocus.com > (lists.securityfocus.com [205.206.231.19]) > by > outgoing2.securityfocus.com (Postfix) with QMQP > id > 6559A8F3F5; Fri, 25 Jul 2003 09:28:56 -0600 (MDT) > >Mailing-List: contact > [EMAIL PROTECTED]; run by ezmlm > >Precedence: bulk >List-Id: > <security-basics.list-id.securityfocus.com> >List-Post: > <mailto:[EMAIL PROTECTED]> >List-Help: > <mailto:[EMAIL PROTECTED]> > >List-Unsubscribe: > <mailto:[EMAIL PROTECTED]> > >List-Subscribe: <mailto:[EMAIL PROTECTED]> >Delivered-To: mailing list [EMAIL PROTECTED] >Delivered-To: moderator for [EMAIL PROTECTED] >Received: (qmail 8748 invoked from network); 25 Jul 2003 14:48:04 -0000 >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: 7bit >Mime-Version: 1.0 >X-Mailer: MIME-tools 5.41 (Entity 5.404) >Date: Fri, 25 Jul 2003 07:44:43 -0700 (PDT) >From: Craig Minton <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Trusting localhost? >Reply-To: [EMAIL PROTECTED] >X-Originating-Ip: [204.167.177.68] >Message-Id: <[EMAIL PROTECTED]> > >If you are creating an application that communicates using TCP, but only > want to take requests from the localhost, are there reasons why you >would not want to check that the incoming request is from localhost and >then trust it? This is in a Windows environment. Would IP spoofing >work if the application was checking for the IP address 127.0.0.1? If >so, how likely is it that IP spoofing would work today, in a corporate >environment? > >Thank you for any direction you can provide. > > > >_____________________________________________________________ >Fight the power! BlazeMail.com > >-------------------------------------------------------------------------- - >-------------------------------------------------------------------------- -- > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
