Security Basics mailing list archives
RE: Spoofing an IP over the internet
From: Philip Wagenaar <pb.wagenaar () chello nl>
Date: Mon, 22 Nov 2004 23:16:11 +0100
Hi, I have a few comments, I added them in between your lines
-----Oorspronkelijk bericht----- Van: Simon [mailto:simon () xhz ca] Verzonden: maandag 22 november 2004 6:50 Aan: security-basics () securityfocus com Onderwerp: Spoofing an IP over the internet Hi there, I'm fairly new to this list and I'm very interested in security. I'm currently programming a set of security functions to make a very strong authentication with PHP and MySQL. These functions deal with all the problems Web Application are prone to and will make sure the process is done quickly and securely. Then, to use it, you would just need a MySQL database, a PHP file and just add two lines of code. With the first use, the administrator can create all the security script needs to proceed, etc... Then the admin can set the security level, currently either IDENTIFY or AUTHENTICATE. I'm currently working in dealing with a possible DoS attack, where the user would send TCP/IP packets to the webserver with different information. Currently, I create a new Session ID if the pair [IPaddress/UserAgent] is not found. It would be easy for a hacker to just set UserAgent to an incrementing number, until the disk is filled with sessions. However, it would be very simple to just verify that one IP cannot have more than one UserAgent associated with it. And report by email a digest of all the problems in the last 10 minutes...
You can only really stop a DoS attack at a network router outside your own network.
Now comes my Critical question. Can an IP address be spoofed/forged/manipulated by someone on the internet?
Not anymore, only inside your network. However crackers and hackers rarely use their own IP, they always use a another victim host to attack another system
I've read about IP spoofing and it seems that the hacker would need to be in my LAN to do such action. So I was wondering if it was possible to change an IP address at will over the internet before opening a TCP/IP connection?
Like you said, only in your LAN. Most networks don't allow spoofing IP's anymore.
If it's not possible, then I believe my anti-DoS process is fairly strong.
A DoS attack is simply consuming all the bandwidth you have. So as long as a hacker sends enough packets you can't stop it. Using your approach you will probarly also consume 100% cpu time.
But if it is possible, then I would like to know how a hacker can proceed (Does he needs to be an ISP or can an end user do it? Are ISPs checking this? What about the law and IP spoofing? Is there a way beyond this point where I can trust something on the internet?)
If you want to secure your webapplication, try looking into client certificates. This way you can authenticate the user.
Say for example, that I somehow determine the webserver is currently serving a user with a spoofed IP, what can I do to trust other visitors? What can I do to get more information on this hacker for further investigation?
How can you determine if an IP is spoofed?
If you could direct me to some litterature on the internet about spoofing IPs on the internet, that would be very much appreciated, then if I can understand how a hacker would proceed I will change my Security mechanism to deal with such a possibility. Oh and btw, I will release the source code of the security engine so that people can read and verify it. Then I was thinking on possibly asking a commercial auditing company to check a test site for possible security flaws and this way I could put some sort of Guarantee on the script (the guarantee comming from the experts). Thanks in advance, Simon
Overall I think if you want to secure your webapplication, you need to authenticate your users using certificates or VPN. And ignore which IP they are using. Philip Wagenaar http://www.wagenaar.123.nl ---------------------------------------- My Inbox is protected by SPAMfighter 2069 spam mails have been blocked so far. Download free www.spamfighter.com today!
Current thread:
- Spoofing an IP over the internet Simon (Nov 22)
- Re: Spoofing an IP over the internet Alexander Klimov (Nov 22)
- Re: Spoofing an IP over the internet Simon (Nov 26)
- Re: Spoofing an IP over the internet Nuno Costa (Nov 27)
- Re: Spoofing an IP over the internet Simon (Nov 26)
- RE: Spoofing an IP over the internet Philip Wagenaar (Nov 22)
- RE: Spoofing an IP over the internet David Gillett (Nov 23)
- Re: Spoofing an IP over the internet Simon (Nov 24)
- Re: Spoofing an IP over the internet Simon (Nov 26)
- RE: Spoofing an IP over the internet David Gillett (Nov 23)
- <Possible follow-ups>
- RE: Spoofing an IP over the internet Steven Trewick (Nov 27)
- Re: Spoofing an IP over the internet Alexander Klimov (Nov 22)