[MUD-Dev] Grief players with ip/dns spoofers

J C Lawrence claw at kanga.nu
Sat Jul 14 19:50:03 New Zealand Standard Time 2001


On Tue, 13 Nov 2001 19:11:11 -0800 
Greg Underwood <gunderwoodhsd at earthlink.net> wrote:
> At 10:08 PM 7/12/01 -0700, Sean Kelly wrote:
>> From: "Tand'a-ur" <tandaur at ix.netcom.com>

>>> Hi, long time lurker here, and I've just about had it with a few
>>> troublemakers that like to frequent my MUD.  Banning doesn't
>>> work because they have ip spoofers and will just come back with
>>> another made up ip. I was wondering if there is a way to detect
>>> a phony ip and just flat out deny connections to them.

>> Unless I'm misinformed, there is no way to maintain an
>> interactive session with a spoofed IP.  What happens is that the
>> response packets go to whatever that IP is and not back to the
>> originator.

> This is my understanding of it as well.  

To create a TCP session requires a multiple packet handshake.  While
the packet sequence is well documented and known, its further
controlled by the TCP sequence number which is not.

  (source)--->SYN--->(target)
  (source)<---ACK<---(target)
  (source)--->SYNACK--->(target)

If the ACK never reaches you because it is headed for some other
address you can never build the full TCP connection.

Note: This doesn't apply to UDP as it is connectionless.

> Any responses go back to the faked IP address.  

If you are bouncing thru a proxy or other form of redirector (SOCKs
servers used to be the common mode) then you can receive the ACK,
and thus build the full TCP connection.  You're not forging your IP,
just (ab)using another service to do address re-writing.

> All you can accomplish with an IP spoof is to issue potentially
> dangerous commands 

If commands are delivered over TCP connections and you do not have a
method of retrieving the returned packets you have no way of
building a connection to send a command over.

> ... or flat out flood attacks.  

SYN flood attacks are moot in the space as they do not change in
character or function whether the source address is forged or
re-written.  That's a basic network security item.

--
J C Lawrence                               ("`-''-/").___..--''"`-._         
---------(*)                                 `6_ 6  )   `-.  (     ).`-.__.`)
claw at kanga.nu                               (_Y_.)'  ._   )  `._ `. ``-..-'  
http://www.kanga.nu/~claw/                _..`--'_..-_/  /--'_.' ,'         
I never claimed to be human             (il),-''  (li),'  ((!.-'           
_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev



More information about the MUD-Dev mailing list