RE: Spoofing an IP over the internet

[Philip Wagenaar <pb.wagenaar () chello nl>]

Hi, I have a few comments, I added them in between your lines

> -----Oorspronkelijk bericht-----
> Van: Simon [mailto:simon () xhz ca]
> Verzonden: maandag 22 november 2004 6:50
> Aan: security-basics () securityfocus com
> Onderwerp: Spoofing an IP over the internet
>
> Hi there,
>    I'm fairly new to this list and I'm very interested in security.  I'm
> currently programming a set of security functions to make a very strong
> authentication with PHP and MySQL.
>
>    These functions deal with all the problems Web Application are prone to
> and
> will make sure the process is done quickly and securely.
>
>    Then, to use it, you would just need a MySQL database, a PHP file and
> just
> add two lines of code.  With the first use, the administrator can create
> all the
> security script needs to proceed, etc...  Then the admin can set the
> security
> level, currently either IDENTIFY or AUTHENTICATE.
>
>    I'm currently working in dealing with a possible DoS attack, where the
> user
> would send TCP/IP packets to the webserver with different information.
> Currently, I create a new Session ID if the pair [IPaddress/UserAgent] is
> not
> found.  It would be easy for a hacker to just set UserAgent to an
> incrementing
> number, until the disk is filled with sessions.  However, it would be very
> simple to just verify that one IP cannot have more than one UserAgent
> associated
> with it.  And report by email a digest of all the problems in the last 10
> minutes...

You can only really stop a DoS attack at a network router outside your own
network.


>    Now comes my Critical question.  Can an IP address be
> spoofed/forged/manipulated by someone on the internet?

Not anymore, only inside your network. However crackers and hackers rarely
use their own IP, they always use a another victim host to attack another
system

>    I've read about IP spoofing and it seems that the hacker would need to
> be in
> my LAN to do such action.  So I was wondering if it was possible to change
> an IP
> address at will over the internet before opening a TCP/IP connection?

Like you said, only in your LAN. Most networks don't allow spoofing IP's
anymore.

>    If it's not possible, then I believe my anti-DoS process is fairly
> strong.

A DoS attack is simply consuming all the bandwidth you have. So as long as a
hacker sends enough packets you can't stop it. Using your approach you will
probarly also consume 100% cpu time.

> But if it is possible, then I would like to know how a hacker can proceed
> (Does
> he needs to be an ISP or can an end user do it?  Are ISPs checking this?
> What
> about the law and IP spoofing?  Is there a way beyond this point where I
> can
> trust something on the internet?)

If you want to secure your webapplication, try looking into client
certificates. This way you can authenticate the user.

>    Say for example, that I somehow determine the webserver is currently
> serving
> a user with a spoofed IP, what can I do to trust other visitors?  What can
> I do
> to get more information on this hacker for further investigation?

How can you determine if an IP is spoofed?

> If you could direct me to some litterature on the internet about spoofing
> IPs on
> the internet, that would be very much appreciated, then if I can
> understand how
> a hacker would proceed I will change my Security mechanism to deal with
> such a
> possibility.
>
> Oh and btw, I will release the source code of the security engine so that
> people
> can read and verify it.  Then I was thinking on possibly asking a
> commercial
> auditing company to check a test site for possible security flaws and this
> way I
> could put some sort of Guarantee on the script (the guarantee comming from
> the
> experts).
>
> Thanks in advance,
>    Simon

Overall I think if you want to secure your webapplication, you need to
authenticate your users using certificates or VPN. And ignore which IP they
are using.

Philip Wagenaar

http://www.wagenaar.123.nl

----------------------------------------
My Inbox is protected by SPAMfighter
2069 spam mails have been blocked so far.
Download free www.spamfighter.com today!