OT: Security....

Joel rees at ddcom.co.jp
Tue Nov 2 01:39:29 UTC 2004


James wrote
> I wrote:
> > In particular, you can't really spoof IP addresses on SSH sessions. The
> > server needs to be able to get packets back to the (possibly attacking)
> > client, which means the client's IP address must be routable.
> 
> Joel wrote:
> > Okay, educate me. Why is a spoofed IP address known to be not routable?
> 
> Yes, I over-simplified this. I should have said routable back to the
> client. Imagine you're sitting in Power Cable, Nebraska, attacking a
> computer in Nether Wallop, UK, and spoofing a computer in
> Henley-on-Todd, Australia. You send a packet to the UK, which replies to
> it. But it sends the reply to Australia: you never see it.
> 
> But you need to see data from that packet to be able to continue the
> connection.
> ...

I think I am fairly clear on SSH, that two-way conversation is key to
making the security techniques SSH uses work. The two-way-ness probably
needs to be emphasised here because some members of this list have not
picked up on it yet. I suppose I'm not being very clear. But what is the
technical difference between spoofing IP and simply temporarily using an
IP that is not assigned to you?

For instance, in the example you provide, how do we guarantee that Joe
Cracker hasn't 0wn3d the DNS server(s) that the computer in Nether
Wallop is referencing? Or that he hasn't simply 0wn3d the box in
Henley-on-Todd and thinks he has covered his tracks, so that he doesn't
care whether the box in Australia gets removed from the 'net? 

Admittedly, that's not simple spoofing, but the second case is not rare
and the first case might not be all that hard to someone who has a
grudge. And I think these two cases (and others) do apply to SSH (and
SFTP and HTTP(S), etc.).

Steve does have a point, however. 

-- 
Joel <rees at ddcom.co.jp>




More information about the fedora-list mailing list