WebApp Sec mailing list archives

Re: Tying a session to an IP address

From: exon <exon () home se>
Date: Mon, 10 May 2004 22:57:39 +0200

Mark Foster wrote:

Scovetta, Michael V wrote:
..."I'd say it doesn't do diddly squat to add to security, since it'strivial to spoof ones address."
Is that really true? Is it trivial to spoof an arbitrary, specific
address? Can you make my traffic log think that you came from158.4.24.21? Or 127.0.0.1? I agree that within a subnet or behind
a hacked router, sure, but at some point a router in the downline is
going to say, "WTF! I don't know about the 158.4 subnet, screw that!"

Unless I totally misunderstand the issues at hand in spoofing IPs...
Spoofing an IP address in a UDP packet really is trivial.
Spoofing an IP address in a TCP packet is also trivial, however with TCPyou have a "session" which relies and sequence numbers and windows forpacket-reassembly on the receiving end. So hijacking a HTTP session froma spoofed address is not nearly as trivial since you'd need to know whatthe sequence number and window sizes are for each packet in thetransmission.

Hijacking a session is quite a different thing than simply spoofing onesaddress, and for a HTTP session it would be even more so, consideringthe fact that it is a stateless protocol (I'm not considering layer 7stuff here), and that the data going TO the server generally is quitesmall (i.e. few packets for guessing seq-number).

Even then it would be a one-sided conversation.

Naturally it would be oneway, unless the spoofing failed.

However I wonder if there are tools out there that make this type ofhijack possible and maybe even easy?


Probably not, for a number of reasons;

1. HTTP is a stateless protocol, which makes hijacking near enoughimpossible anyways.2. Hijacking requires you to be able to intersect the packets somewherebetween A and B.3. Hijacking is more difficult nowadays, since seq-numbers hop aroundmore than the original SEQ++; routine used in older code. It IS stillpossible to make calculated guesses at what next seq will be, but it'sdefinitely far from trivial.


/exon

Current thread:

Re: Tying a session to an IP address [summary], (continued)
- Re: Tying a session to an IP address [summary] Paul Johnston (May 12)
- RE: Tying a session to an IP address Mike Randall (May 10)
- RE: Tying a session to an IP address Imperva Application Defense Center (May 10)
  - Re: Tying a session to an IP address T.J. (May 10)
  - Re: Tying a session to an IP address Adam Tuliper (May 10)
    - RE: Tying a session to an IP address Steve McCullough (May 11)
- RE: Tying a session to an IP address Wolf, Yonah (May 10)
- RE: Tying a session to an IP address Scovetta, Michael V (May 10)
  - Re: Tying a session to an IP address exon (May 10)
  - Re: Tying a session to an IP address Mark Foster (May 10)
    - Re: Tying a session to an IP address exon (May 10)
- RE: Tying a session to an IP address Tom Arseneault (May 10)
- RE: Tying a session to an IP address Toni Heinonen (May 10)
  - Re: Tying a session to an IP address exon (May 10)
- RE: Tying a session to an IP address Tom Martin (May 11)