Re: IP number question
From: Michael J. Pelletier (mjpelletier_at_mjpelletier.com)
Date: 01/27/05
- Next message: hockenmeenchianuk: "Re: Neal Stephenson's, the Baroque Trilogy"
- Previous message: Walter Roberson: "Re: Free Random Password Generator"
- In reply to: Walter Roberson: "Re: IP number question"
- Next in thread: Walter Roberson: "Re: IP number question"
- Reply: Walter Roberson: "Re: IP number question"
- Reply: Walter Roberson: "Re: IP number question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Jan 2005 22:52:51 -0800
Walter Roberson wrote:
> In article <lEYJd.10258$rw.4998@fed1read04>,
> Michael J. Pelletier <mjpelletier@mjpelletier.com> wrote:
> :I am not talking about the NNTP or MAIL protocols.
>
> You *should* be talking about NNTP, because that is all that is
> relevant here.
>
>
> :I am talking about TCP.
> :In order for you to establish a TCP connection you must have an in and
> :out route due to the fact that it is a duplex connection.
>
> Not strictly true, but close enough -- there are ways that can work
> to send data through TCP connections even if you never see the reply,
> but they are trickier than if you can get the replies.
If you are talking about timed TCP spoofing it is quite difficult....I have
only been able to do it once...but that is off the topic...
> But that's totally irrelevant.
>
>
> :When sending a news message what happens? Generally, I connect to TCP
> :port
> :119, some parameters are exchanged (window size, etc). Next I start
> :sending the message. The news server ACKs the windows by sending TCP
> :packets back to me. Hence the problem. If I forge someone's IP address,
> :how can I possibly get the server's ACK packets back? Furthermore, I can
> :never exchange the TCP options...the connection will fail.
>
> You didn't read the original posting carefully. What the OP said was:
>
> "Because of the subject of the post I checked the IP number of the
> posting."
>
> Now, how did the OP do that? What IP number did the OP look at?
> The posting had already been made, so the OP wasn't checking active
> sockets or anything like that. The OP probably wasn't even looking
> at the nntp activity logs of the news server that -first- received the
> message. It is highly likely that the OP looked at the posting headers
> in order to determine the IP address that it had been posted from.
Probably. He did not specify how he checked the IP address. He wrote "...I
checked the IP number of the
posting. The IP number matches that of another individual I know but
who would not make such postings and also hardly is ever on their
computer". I guess he should have been more specific.
> Probably the OP looked at the NNTP-Posting-Host: header.
> For example, the OP's message of inquiry has:
> NNTP-Posting-Host: 80.42.172.192
> and my initial reply has:
> NNTP-Posting-Host: 192.70.172.31
>
> Now, where did that IP address come from? I pulled these two
> off of the groups.google.com copies of the aforementioned postings,
> but I can assure you with 100% certainty that my message
> was NOT posted to the groups.google.com news server, and that
> that IP address has no special article exchange arrangement
> with google. I'm quite certain of that -- I administer the system
> in question myself, and I administer the company firewall myself.
> There is NO direct way from 192.70.172.31 to google's posting
> service.
Not sure what you are saying. Your IP (via the last post) is 192.70.172.31.
The IP block is owned by the Canadian Gov and your IP goes to a Institute
of Biodiagnostics of Canada. I assume that is where you posted the last
message.
If I understand the problem the OP posted, it was that someone had posted a
news article with the IP address of another person. For example, I post a
news article but in the "NNTP-Posting-Host:" field I should have my IP but
instead have yours, 192.70.172.31. This is the question, yes?
Now your statement is that there is no way your IP address can be used to
post news articles? Please explain this as I do not know your configuration
and I am sure you do not like people scanning you.
Michael
> So how does google -know- that 192.70.172.31 was the posting host?
> Remember, no connection was ever made from 192.70.172.31 to
> google posting service directly. Nor by proxy. The message was
> posted to an nntp server belonging to one of the local universities:
> their system is the only system able to certify (or not) that
> 192.70.172.31 really was the IP address the message was posted from.
> So again, HOW DOES GOOGLE KNOW?
>
> The answer is that Google DOESN'T KNOW. Google received the
> message *complete with NNTP-Posting-Host header* from some other
> computer, and Google just copies what the other computer told it.
> And that other computer received the message from a third computer,
> with the second computer trusting everything that the third computer
> told it. And so on, for probably about 8 computers in line all of
> which were trusted to pass on the truth of what the
> originating system passed on.
>
> The problem with this link of trust is that some news servers
> accept messages from anywhere. And when I say "accept messages",
> I don't mean that you can set your browser to read and post from
> that site: I mean that those news servers will trust *any* system
> that comes along and connects and says "Oh, hey, I have
> this fully complete posting here, that was given to me by
> someone else, and which you might not have a copy of yet." And
> the server replies back with the NNTP equivilent of
> "Gee, you are right, I don't have that one yet, send me a copy
> of the fully complete article." This process, which uses the
> NNTP protocol "IHAVE" and "SENDME" verbs, does NOT add in the
> IP address of the system that claimed to have the article:
> the receiving news system trusts that the -text- sent to it is
> accurate and that any NNTP-Posting-Host: that is passed along
> has been vetted by something down the line. And if the system
> that is saying IHAVE is lying, then the system can send
> *any* content it wants, and all the systems down the chain
> will completely trust whatever NNTP-Posting-Host: header that
> the lying cheating system chose to put in.
>
> TCP is irrelevant to all of this. The same thing works just fine
> with uucp and serial modem connections: all it requires is a
> gullible news server that is willing to accept postings at face
> value. And lots of such systems exist :(
>
- Next message: hockenmeenchianuk: "Re: Neal Stephenson's, the Baroque Trilogy"
- Previous message: Walter Roberson: "Re: Free Random Password Generator"
- In reply to: Walter Roberson: "Re: IP number question"
- Next in thread: Walter Roberson: "Re: IP number question"
- Reply: Walter Roberson: "Re: IP number question"
- Reply: Walter Roberson: "Re: IP number question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
