Re: Trusting localhost?

["Jude Naidoo" <jude007 () jnaidoo fsnet co uk>]

Anyone could spoof the loopback address, but the reply to that request would
go directly to the machine receiving the SYN packet..
The most the spoofer can do is get your machine to reply to a whole lot of
loopback address, and possibly cause some sort of DOS.

The most sensible thing to do, to prevent that is stick the server on a DMZ
behind a firewall that's clever enough to drop packets to that server that
have the reply or source address as 127.1....


Thanks

Jude


----- Original Message ----- 
From: "Craig Minton" <CraigSecurity () blazemail com>
To: <security-basics () securityfocus com>
Sent: Friday, July 25, 2003 3:44 PM
Subject: Trusting localhost?


> If you are creating an application that communicates using TCP, but only
>  want to take requests from the localhost, are there reasons why you
> would not want to check that the incoming request is from localhost and
> then trust it?  This is in a Windows environment.  Would IP spoofing
> work if the application was checking for the IP address 127.0.0.1?  If
> so, how likely is it that IP spoofing would work today, in a corporate
> environment?
>
> Thank you for any direction you can provide.
>
>
>
> _____________________________________________________________
> Fight the power!  BlazeMail.com
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>



---------------------------------------------------------------------------
----------------------------------------------------------------------------