Re: [RAZOR] Linux kernel IP masquerading vulnerability

[Darren Reed <avalon () coombs anu edu au>]

The IRC DCC/CTCP protocol is not at all well suited to any sort of
proxying.  For starters, the "control channel" is a connection to
an IRC server - not the other client with which you wish to connect
to.  This prevents the proxy from having any clues about what the
incoming host's IP address MIGHT be, never mind what it WILL be.

So even if you have a legitimate IRC protocol being snooped on by the
proxy, you still have NO idea about who/what should be allowed to make
an inbound connection.

IF all IRC servers returned COMPLETE information in reponse to queries
such as WHOIS, you could set up an inbound whatever for the expected
source address of the other client.  This does not work universally
because a bunch of servers that have your privacy in mind (*cough*
*splutter*) will hide the first segment of a hostname or last octet
of an IP address.

In short, DCC is much worse than FTP to proxy.  Someone should come up
with a CTCP protocol extension that results in both parties knowing
what the other end of the connection is going to be before any attempt
to make it is made.

Darren