James wrote > I wrote: > > In particular, you can't really spoof IP addresses on SSH sessions. The > > server needs to be able to get packets back to the (possibly attacking) > > client, which means the client's IP address must be routable. > > Joel wrote: > > Okay, educate me. Why is a spoofed IP address known to be not routable? > > Yes, I over-simplified this. I should have said routable back to the > client. Imagine you're sitting in Power Cable, Nebraska, attacking a > computer in Nether Wallop, UK, and spoofing a computer in > Henley-on-Todd, Australia. You send a packet to the UK, which replies to > it. But it sends the reply to Australia: you never see it. > > But you need to see data from that packet to be able to continue the > connection. > ... I think I am fairly clear on SSH, that two-way conversation is key to making the security techniques SSH uses work. The two-way-ness probably needs to be emphasised here because some members of this list have not picked up on it yet. I suppose I'm not being very clear. But what is the technical difference between spoofing IP and simply temporarily using an IP that is not assigned to you? For instance, in the example you provide, how do we guarantee that Joe Cracker hasn't 0wn3d the DNS server(s) that the computer in Nether Wallop is referencing? Or that he hasn't simply 0wn3d the box in Henley-on-Todd and thinks he has covered his tracks, so that he doesn't care whether the box in Australia gets removed from the 'net? Admittedly, that's not simple spoofing, but the second case is not rare and the first case might not be all that hard to someone who has a grudge. And I think these two cases (and others) do apply to SSH (and SFTP and HTTP(S), etc.). Steve does have a point, however. -- Joel <rees@xxxxxxxxxxx>
