Re: Spoofing an IP over the internet

From: Simon (simon_at_xhz.ca)
Date: 11/24/04

  • Next message: Davide: "Re: sesecuring access to workgroup for notebooks" 
    Date: Tue, 23 Nov 2004 19:58:02 -0500
To: Philip Wagenaar <pb.wagenaar@chello.nl>

    Thank you for the reply,

       The secure authentication script will support many levels of security,
    depending on the need. First level is just identification, openning a session
    for a user to keep track of him in the site. Second is Authentication, where
    the user is given a cookie and has to provide login&password.

    As you pointed out, I will look into certificate which can certainly be the
    third level of authentication.

    But to go back to my 'fear' of DoS, I think my approach will just consume CPU,
    since as soon as the script detect there is a possible DoS it will raise a flag,
    that will make it more strict with legitimate users (send them a cookie even if
    they are just to be identified, etc...) to help filter the attack and anything
    that look possibly like the attacker will just be given a general 'server down'
    message (like "Server is currently experiencing difficulty, come back in 30
    min") but the server will be working fine behind.

    And I may couple my script with some sort of counter-attack device BUT, I know
    that it may also give the attacker one more way of attacking the server, by
    disabling DNS and stuff... So for now, I prefer to use 100% CPU and let the
    service slow down.

    And my bandwith is 'unlimited' but it does cost money, my budget is the limit...
      I'll talk to my ISP, in case a hacker cost me very much bandwith what is my
    responsibility, etc...

    Thanks a lot,
       Simon

    Philip Wagenaar wrote:

    > Hi, I have a few comments, I added them in between your lines
    >
    >
    >>-----Oorspronkelijk bericht-----
    >>Van: Simon [mailto:simon@xhz.ca]
    >>Verzonden: maandag 22 november 2004 6:50
    >>Aan: security-basics@securityfocus.com
    >>Onderwerp: Spoofing an IP over the internet
    >>
    >>Hi there,
    >> I'm fairly new to this list and I'm very interested in security. I'm
    >>currently programming a set of security functions to make a very strong
    >>authentication with PHP and MySQL.
    >>
    >> These functions deal with all the problems Web Application are prone to
    >>and
    >>will make sure the process is done quickly and securely.
    >>
    >> Then, to use it, you would just need a MySQL database, a PHP file and
    >>just
    >>add two lines of code. With the first use, the administrator can create
    >>all the
    >>security script needs to proceed, etc... Then the admin can set the
    >>security
    >>level, currently either IDENTIFY or AUTHENTICATE.
    >>
    >> I'm currently working in dealing with a possible DoS attack, where the
    >>user
    >>would send TCP/IP packets to the webserver with different information.
    >>Currently, I create a new Session ID if the pair [IPaddress/UserAgent] is
    >>not
    >>found. It would be easy for a hacker to just set UserAgent to an
    >>incrementing
    >>number, until the disk is filled with sessions. However, it would be very
    >>simple to just verify that one IP cannot have more than one UserAgent
    >>associated
    >>with it. And report by email a digest of all the problems in the last 10
    >>minutes...
    >
    >
    > You can only really stop a DoS attack at a network router outside your own
    > network.
    >
    >
    >
    >> Now comes my Critical question. Can an IP address be
    >>spoofed/forged/manipulated by someone on the internet?
    >
    >
    > Not anymore, only inside your network. However crackers and hackers rarely
    > use their own IP, they always use a another victim host to attack another
    > system
    >
    >
    >> I've read about IP spoofing and it seems that the hacker would need to
    >>be in
    >>my LAN to do such action. So I was wondering if it was possible to change
    >>an IP
    >>address at will over the internet before opening a TCP/IP connection?
    >
    >
    > Like you said, only in your LAN. Most networks don't allow spoofing IP's
    > anymore.
    >
    >
    >> If it's not possible, then I believe my anti-DoS process is fairly
    >>strong.
    >
    >
    > A DoS attack is simply consuming all the bandwidth you have. So as long as a
    > hacker sends enough packets you can't stop it. Using your approach you will
    > probarly also consume 100% cpu time.
    >
    >
    >>But if it is possible, then I would like to know how a hacker can proceed
    >>(Does
    >>he needs to be an ISP or can an end user do it? Are ISPs checking this?
    >>What
    >>about the law and IP spoofing? Is there a way beyond this point where I
    >>can
    >>trust something on the internet?)
    >
    >
    > If you want to secure your webapplication, try looking into client
    > certificates. This way you can authenticate the user.
    >
    >
    >> Say for example, that I somehow determine the webserver is currently
    >>serving
    >>a user with a spoofed IP, what can I do to trust other visitors? What can
    >>I do
    >>to get more information on this hacker for further investigation?
    >
    >
    > How can you determine if an IP is spoofed?
    >
    >
    >>If you could direct me to some litterature on the internet about spoofing
    >>IPs on
    >>the internet, that would be very much appreciated, then if I can
    >>understand how
    >>a hacker would proceed I will change my Security mechanism to deal with
    >>such a
    >>possibility.
    >>
    >>Oh and btw, I will release the source code of the security engine so that
    >>people
    >>can read and verify it. Then I was thinking on possibly asking a
    >>commercial
    >>auditing company to check a test site for possible security flaws and this
    >>way I
    >>could put some sort of Guarantee on the script (the guarantee comming from
    >>the
    >>experts).
    >>
    >>Thanks in advance,
    >> Simon
    >
    >
    > Overall I think if you want to secure your webapplication, you need to
    > authenticate your users using certificates or VPN. And ignore which IP they
    > are using.
    >
    > Philip Wagenaar
    >
    > http://www.wagenaar.123.nl
    >
    > ----------------------------------------
    > My Inbox is protected by SPAMfighter
    > 2069 spam mails have been blocked so far.
    > Download free www.spamfighter.com today!
    >
    >

  • Next message: Davide: "Re: sesecuring access to workgroup for notebooks"

    Relevant Pages

    • Spoofing an IP over the internet
      ... I'm fairly new to this list and I'm very interested in security. ... authentication with PHP and MySQL. ... It would be easy for a hacker to just set UserAgent to an incrementing ... address at will over the internet before opening a TCP/IP connection? ...
      (Security-Basics)
    • Re: permissions and script visibility
      ... URLs typically have the name of the php script ... It is EXACTLY this kind of laid back approach to security (and ... the user - who can inspect your user authentication etc at leisure, ...
      (comp.lang.php)
    • Re: permissions and script visibility
      ... For instance, URLs typically have the name of the php script that they are calling - also just viewing the source of most web pages will show you in glorious detail, the paths and names to any PHP scripts they may be using. ... It is EXACTLY this kind of laid back approach to security that lets me worry about scripters and scripting languages. ... the script - which has its own pitfalls) -it makes no sense in having such a module plainly visible/accesible to the user - who can inspect your user authentication etc at leisure, ...
      (comp.lang.php)
    • Solaris Security Summary
      ... Administering Security on the Solaris OE ... Configuration control, facility management, and system ... Authentication: The ability to prove who you are. ...
      (comp.unix.solaris)
    • SUMMARY WAS: OT? Philosophical Question on SA responsibilities
      ... helpful for managers interested in hiring new administrators. ... Would you go thru the 14,600 messages in root and admin ... If I was a new SA I would if encountering a security hole, ... I can see some use for the passwd -s part of the crontab script, ...
      (SunManagers)