Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Paul,
On 4/30/15 3:24 AM, Paul Klinkenberg wrote:
I never knew the remote_addr could not be trusted, but I believe
you at once when you say so.
I thought it was taken from the actual socket connection. With the
exception of ajp by the way, where it is programmatically changed
to reflect the remote client while handling the http call. Out of
curiosity, could you shed some light as to why the remote_addr is
not to be trusted in a regular http request?
The client can spoof the source IP in the packet headers.
This is not on-topic, but since the point has been raised, and since there are many smart
people on this list..
I am probably not very clever in a hacking kind of way, but I have never been able to
figure out how a client could make use of this to actually achieve something with TCP.
Setting up a TCP connection requires a couple of packet exchanges *back and
forth*.
So, the client can indeed send a first SYN packet to a server, with a spoofed origin IP
address. But then the server would return the ACK packet to that spoofed IP address, which
is presumably not the real client's one, wouldn't it ?
What good would that be to the malevolent client ?
Unless the point is only to flood a server's TCP stack with connection requests which
never can get completed..
If anyone has a clue as to how this can be really exploited, I'm eager to learn.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
