|
Posted by The Natural Philosopher on 01/21/08 22:54
Jerry Stuckle wrote:
> Jonas Werres wrote:
>>> Nothing at all to do with PHP.
>>
>> I think you did not understand what I wrote.
>>
>> The OP asked if one can spoof the IP address while requesting a document.
>> Jerry says (correctly) that it would not be possible to get the
>> answer. That might imply that is IS possible to make a request, but
>> the answer goes nowhere. That would be enough if the purpose of the
>> request was e.g. to delete a database by SQL injection. The answer is
>> unimportant.
>>
>> What I said was that I think it is not even possible to make a request
>> (regardless where the answer would go), because that would require a
>> connection which cannot be established with a spoofed IP.
>>
>
> Actually, you probably could send out a request from a faked IP address
> with the correct hacker tools. But it would have to be short
> (everything would have to fit in 7 packets). But it would depend on an
> ISP which would accept the spoofed IP address. Correctly configured,
> they shouldn't. But we also know how *everyone* has *everything*
> correctly configured, don't we :-)
>
You would not need to keep it in 7 packets, merely to send in a TCP
window - pretty large these days, BUT you would also need to cut in on
an existing ESTABLISHED session.
If we are talking HTTP, there is no such thing really. Every call to a
URL is a` NEW TCP session. Every request is a new session, which is
closed once the data has been dleivred and an ACK recived from the far end.
So whilst the TCP session is stateful, the HTTP is not.
In essence a URL call, be it a form full of data or whatever goes
like this
1/. browserIP:random_port->server:80 OPEN TCP SESSION
2/. Server:80-->browserIP:random_port ACK + TCP +SESSION STUFF
3/. browserIP:random_port ACK DATA ESTABLISHED SESSION STUFF
4/. Server:80-->browserIP ACK CLOSE SESSION.
To hijack that session you need to jump in at point 3/. and replace the
packet with your own. You need to know all about the TCP session as well
as the senders IP address AND current sender port number, or the packet
will be discarded as not part of any TCP session the server knows about.
OR you need to set up your own session. To do that needs bidirectional
communication with the server.
People claim that firewalls that only allow connection from a given IP
address are not secure (enough). That IP addresses can be spoofed. So
they can, but I have never heard of it being done in practice in the
real world, other than in a particular artificial environment. Certainly
NOT by Andy Hacker masturbating in his bedroom with a copy of Linux for
Geeks on the floor.
You need very high level access to core routers to be able to *see* the
traffic session flow and enough ability to reconfigure core internet
routers to do that. AND the sort of kit that can keep UP with the
traffic flow on a router like that is basically NSA level kit.
I.e. your government can probably do it, Possibly the top techie at an
ISP, given some fancy kit, but not anyone else.
Navigation:
[Reply to this message]
|