|
|
Posted by Jerry Stuckle on 01/22/08 02:50
Baho Utot wrote:
> Jerry Stuckle wrote:
>
>> The Natural Philosopher wrote:
>>> Jonas Werres wrote:
>>>>> Nothing at all to do with PHP.
>>>> I think you did not understand what I wrote.
>>>>
>>>> The OP asked if one can spoof the IP address while requesting a
>>>> document. Jerry says (correctly) that it would not be possible to get
>>>> the answer. That might imply that is IS possible to make a request, but
>>>> the answer goes nowhere. That would be enough if the purpose of the
>>>> request was e.g. to delete a database by SQL injection. The answer is
>>>> unimportant.
>>>>
>>>> What I said was that I think it is not even possible to make a request
>>>> (regardless where the answer would go), because that would require a
>>>> connection which cannot be established with a spoofed IP.
>>>
>>> A request implies an open TCP connection, which implies that a session
>>> has been set up.
>>>
>> Not the way TCP/IP works. You can send up to 7 packets before an ACK is
>> required by the sender. This is all done by the transport layer, and
>> the web server has no idea what's going on.
>>
>> In that 7 packets you can get several pieces of information. It will go
>> to the web server and be processed.
>>
>> The web server doesn't reply until it gets the HTTP request - which can
>> be much later.
>>
>> If the web server's TCP/IP doesn't get the packet, obviously the ACK
>> won't be returned. So after a timeout period, the sender's TCP/IP
>> resends it (if, instead, the ACK got lost on the return, it is the web
>> server's TCP/IP which sorts it out).
>
> I am missing something....What are you trying to say here?
>
> TCP/IP from a proper stack (non microsoft) requires
>
> Client --- Host
> SYN -->
> <-- SYN+ACK
> ACK -->
>
> to open a connection.
>
> Now data can be exchanged.
> Then the 7 packet rule comes into play, you must establish a "connection"
> first.
>
> This link may help:
>
> http://www.linuxsecurity.com/resource_files/documentation/tcpip-security.html
>
> [putolin]
>
Wrong, as usual, Baho. The connection is an application level concept.
It is not required for a request to be sent to a web server.
Your link is completely unrelated to what I'm discussing.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|