Re: ip spoofing (httpd)

To: <debian-security@lists.debian.org>
Subject: Re: ip spoofing (httpd)
From: "Dan Rowles" <daniel.rowles@weboutcome.com>
Date: Tue, 10 Apr 2001 18:27:56 +0100
Message-id: <00f601c0c1e3$a7544a70$8100a8c0@internal.weboutcome.com>
References: <20010410202910.A3192@ramses.local> <20010410185508.A16372@maffie.nl>

You need to initiate a TCP connection in order to send a HTTP request. This
imposes some constraints on the behaviour of an attacker.

I can see 2 immediate avenues of attck:-
1) Proxies - get someone else to send the HTTP request on your behalf :)
2) IP Address spoofing.

However, since this is a TCP connection, the attacker either has to be able
to see the packets coming back (ie packets to his own subnet) or he has to
be able to gess what the sequence numbers in those packets would be (hard -
hopefully).

If he can see traffic to the server (same subnet, or on one of its routes),
you're screwed - as the attacker can trivially fake connections from any IP
address he wishes. If, ont he other hand, he is in a distant location, then
there is a limit to the damage he can do based on the number of proxies he
can find, and the size of his subnet.

This of course assumes that changing his real IP address is not a realistic
option (which, unless he is in control of the routing tables, it isn't. If
he controls the routing tables, you may as well give up now :)

Dan

----- Original Message -----
From: "mafkees" <mafkees@maffie.nl>
To: <debian-security@lists.debian.org>
Sent: Tuesday, April 10, 2001 5:55 PM
Subject: Re: ip spoofing (httpd)

> On Tue, Apr 10, 2001 at 08:29:10PM +0200, Clemens Hermann wrote:
> > Hi,
> >
> > today I had a discussion with somebody about the possibility of
> > ip-spoofing that affects the apache. In particular we were talking about
> > a cgi-script he implemented. The script is sort of an
> > online-voting-system. To avoid that someone clicks several
> > times he uses the source-IP and each IP has only got one vote.
> > IMHO it should be quite easy to bypass this sort of "security" because
> > the script evaluates a http-request (vote coded in the URL).
> > Can anyone give me a code-example that does exactly this?
> >
> > tia
> >
> > /ch
> >
> >
> You could of course use a public proxy, vote, switch proxy, vote again,
etc. etc.
>
> On the net are lots of pages with public proxy server addresses.
> In your browser you can configure wich proxy to use.
> Be aware that some proxys may be quite slow.
>
> Michiel van Baak
> http://www.maffie.nl
>
> --
> There are 2 major products that came out of Berkeley:
> UNIX and LSD.
> We don't believe this to be a coincidence.
>
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org

Reply to:

References:
- ip spoofing (httpd)
  - From: Clemens Hermann <haribeau@gmx.de>
- Re: ip spoofing (httpd)
  - From: mafkees <mafkees@maffie.nl>

Prev by Date: Re: ip spoofing (httpd)
Next by Date: Re: ip spoofing (httpd)
Previous by thread: Re: ip spoofing (httpd)
Next by thread: Re: ip spoofing (httpd)
Index(es):
- Date
- Thread