Re: IP number question
From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 01/27/05
- Next message: nib354_at_yahoo.co.uk: "Re: Request for input from someone who has hired or managed an ex-hacker"
- Previous message: CBFalconer: "Re: Neal Stephenson's, the Baroque Trilogy"
- In reply to: Michael J. Pelletier: "Re: IP number question"
- Next in thread: Michael J. Pelletier: "Re: IP number question"
- Reply: Michael J. Pelletier: "Re: IP number question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 27 Jan 2005 05:37:39 GMT
In article <lEYJd.10258$rw.4998@fed1read04>,
Michael J. Pelletier <mjpelletier@mjpelletier.com> wrote:
:I am not talking about the NNTP or MAIL protocols.
You *should* be talking about NNTP, because that is all that is
relevant here.
:I am talking about TCP.
:In order for you to establish a TCP connection you must have an in and out
:route due to the fact that it is a duplex connection.
Not strictly true, but close enough -- there are ways that can work
to send data through TCP connections even if you never see the reply,
but they are trickier than if you can get the replies.
But that's totally irrelevant.
:When sending a news message what happens? Generally, I connect to TCP port
:119, some parameters are exchanged (window size, etc). Next I start
:sending the message. The news server ACKs the windows by sending TCP
:packets back to me. Hence the problem. If I forge someone's IP address, how
:can I possibly get the server's ACK packets back? Furthermore, I can never
:exchange the TCP options...the connection will fail.
You didn't read the original posting carefully. What the OP said was:
"Because of the subject of the post I checked the IP number of the
posting."
Now, how did the OP do that? What IP number did the OP look at?
The posting had already been made, so the OP wasn't checking active
sockets or anything like that. The OP probably wasn't even looking
at the nntp activity logs of the news server that -first- received the
message. It is highly likely that the OP looked at the posting headers
in order to determine the IP address that it had been posted from.
Probably the OP looked at the NNTP-Posting-Host: header.
For example, the OP's message of inquiry has:
NNTP-Posting-Host: 80.42.172.192
and my initial reply has:
NNTP-Posting-Host: 192.70.172.31
Now, where did that IP address come from? I pulled these two
off of the groups.google.com copies of the aforementioned postings,
but I can assure you with 100% certainty that my message
was NOT posted to the groups.google.com news server, and that
that IP address has no special article exchange arrangement
with google. I'm quite certain of that -- I administer the system
in question myself, and I administer the company firewall myself.
There is NO direct way from 192.70.172.31 to google's posting
service.
So how does google -know- that 192.70.172.31 was the posting host?
Remember, no connection was ever made from 192.70.172.31 to
google posting service directly. Nor by proxy. The message was
posted to an nntp server belonging to one of the local universities:
their system is the only system able to certify (or not) that
192.70.172.31 really was the IP address the message was posted from.
So again, HOW DOES GOOGLE KNOW?
The answer is that Google DOESN'T KNOW. Google received the
message *complete with NNTP-Posting-Host header* from some other
computer, and Google just copies what the other computer told it.
And that other computer received the message from a third computer,
with the second computer trusting everything that the third computer
told it. And so on, for probably about 8 computers in line all of
which were trusted to pass on the truth of what the
originating system passed on.
The problem with this link of trust is that some news servers
accept messages from anywhere. And when I say "accept messages",
I don't mean that you can set your browser to read and post from
that site: I mean that those news servers will trust *any* system
that comes along and connects and says "Oh, hey, I have
this fully complete posting here, that was given to me by
someone else, and which you might not have a copy of yet." And
the server replies back with the NNTP equivilent of
"Gee, you are right, I don't have that one yet, send me a copy
of the fully complete article." This process, which uses the
NNTP protocol "IHAVE" and "SENDME" verbs, does NOT add in the
IP address of the system that claimed to have the article:
the receiving news system trusts that the -text- sent to it is
accurate and that any NNTP-Posting-Host: that is passed along
has been vetted by something down the line. And if the system
that is saying IHAVE is lying, then the system can send
*any* content it wants, and all the systems down the chain
will completely trust whatever NNTP-Posting-Host: header that
the lying cheating system chose to put in.
TCP is irrelevant to all of this. The same thing works just fine
with uucp and serial modem connections: all it requires is a
gullible news server that is willing to accept postings at face
value. And lots of such systems exist :(
-- The image data is transmitted back to Earth at the speed of light and usually at 12 bits per pixel.
- Next message: nib354_at_yahoo.co.uk: "Re: Request for input from someone who has hired or managed an ex-hacker"
- Previous message: CBFalconer: "Re: Neal Stephenson's, the Baroque Trilogy"
- In reply to: Michael J. Pelletier: "Re: IP number question"
- Next in thread: Michael J. Pelletier: "Re: IP number question"
- Reply: Michael J. Pelletier: "Re: IP number question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
