WebApp Sec mailing list archives
Re: Tying a session to an IP address
From: exon <exon () home se>
Date: Mon, 10 May 2004 17:30:44 +0200
Scovetta, Michael V wrote:
..."I'd say it doesn't do diddly squat to add to security, since it's trivial to spoof ones address."Is that really true? Is it trivial to spoof an arbitrary, specificaddress?
Yes. Ofcourse, the return traffic will go to the spoofed address, but the spoofed packets will still make it through.
Can you make my traffic log think that you came from 158.4.24.21? Or 127.0.0.1?
Perhaps. What I can do is make the packet look like its coming from whatever address I want. What your machine believes is a different matter.
I agree that within a subnet or behind a hacked router, sure, but at some point a router in the downline is going to say, "WTF! I don't know about the 158.4 subnet, screw that!"
You're assuming that routers care about a packets origin.
Unless I totally misunderstand the issues at hand in spoofing IPs...
You might have.
Mike
Andreas
Current thread:
- Re: Tying a session to an IP address, (continued)
- Re: Tying a session to an IP address Chris Burton (May 10)
- Re: Tying a session to an IP address Imre Kertesz (May 10)
- Re: Tying a session to an IP address [summary] Paul Johnston (May 12)
- RE: Tying a session to an IP address Mike Randall (May 10)
- RE: Tying a session to an IP address Imperva Application Defense Center (May 10)
- Re: Tying a session to an IP address T.J. (May 10)
- Re: Tying a session to an IP address Adam Tuliper (May 10)
- RE: Tying a session to an IP address Steve McCullough (May 11)
- RE: Tying a session to an IP address Wolf, Yonah (May 10)
- RE: Tying a session to an IP address Scovetta, Michael V (May 10)
- Re: Tying a session to an IP address exon (May 10)
- Re: Tying a session to an IP address Mark Foster (May 10)
- Re: Tying a session to an IP address exon (May 10)
- RE: Tying a session to an IP address Tom Arseneault (May 10)
- RE: Tying a session to an IP address Toni Heinonen (May 10)
- Re: Tying a session to an IP address exon (May 10)
- RE: Tying a session to an IP address Tom Martin (May 11)