Re: Tying a session to an IP address

[Mark Foster <mark () foster cc>]

Scovetta, Michael V wrote:
> ..."I'd say it doesn't do diddly squat to add to security, since it's 
> trivial to spoof ones address."
>
> Is that really true? Is it trivial to spoof an arbitrary, specific
> address? Can you make my traffic log think that you came from 
> 158.4.24.21? Or 127.0.0.1? I agree that within a subnet or behind
> a hacked router, sure, but at some point a router in the downline is
> going to say, "WTF! I don't know about the 158.4 subnet, screw that!"
>
> Unless I totally misunderstand the issues at hand in spoofing IPs...

Spoofing an IP address in a UDP packet really is trivial.
Spoofing an IP address in a TCP packet is also trivial, however with TCP 
you have a "session" which relies and sequence numbers and windows for 
packet-reassembly on the receiving end. So hijacking a HTTP session from 
a spoofed address is not nearly as trivial since you'd need to know what 
the sequence number and window sizes are for each packet in the 
transmission. Even then it would be a one-sided conversation.

However I wonder if there are tools out there that make this type of 
hijack possible and maybe even easy?
--
Some days it's just not worth chewing through the restraints...
Mark D. Foster, CISSP <mark () foster cc>  http://mark.foster.cc/