[Previous] [Next] [Index]
[Thread]
Re: Restrictions group without ask for the password
Some time ago Adam Shostack said:
> The essence of the answer is that IP is designed to route
> packets, not to provide for authentication. There are attacks where a
> host acts as a router, so that packets appear to come from that host
> A, when in fact they come from host B.
>
> Further, you don't want to give information to computers, you
> want to give information to the users of those computers. You thus
> want to make the user do something, such as type in a password, or
> demonstrate their posession of a token, that gives some evidence that
> they are authorized.
>
> There are many articles on the web on IP spoofing.
I'm not an expert in the matter, but I wonder how ACK packets and
return data gets back to the machine doing the IP spoofing? I would
assume that it would tough to say the least with things like source
routing turned off in the router connecting your network to the
Internet.
Let's say that the Bad Guy is on network 206.45.100.0, the Innocent
Guy is on network 156.23.90.0. The Bad Guy spoofs his IP packets to
appear to come from 167.200.87.4. The packets will be routed
correctly to the Good Guy's machines, but the reply packets will be
routed back to network 167.200.87.0 rather than to 206.45.100.0.
This assumes that the Good Guy's Internet router is set up with at
least minimal defenses against spoofing addresses on it's local
network and has been told to reject various little used options such
as loose source routing, etc.
--Eric
--
Eric Wieling
Network Operations Center
Inter Commerce Corporation
Technical Support: 504-525-1868
Administrative: 504-585-7303
Follow-Ups:
References: