I posited: > Imagine you're sitting in Power Cable, Nebraska, attacking a > computer in Nether Wallop, UK, and spoofing a computer in > Henley-on-Todd, Australia. You send a packet to the UK, which replies to > it. But it sends the reply to Australia: you never see it. > > But you need to see data from that packet to be able to continue the > connection. Joel asked: > I think I am fairly clear on SSH, that two-way conversation is key to > making the security techniques SSH uses work. The two-way-ness probably > needs to be emphasised here because some members of this list have not > picked up on it yet. Yes, this is true. But before SSH can do anything, it relies on the OS setting up a TCP connection. That is inherently two-way, too. > I suppose I'm not being very clear. But what is the > technical difference between spoofing IP and simply temporarily using an > IP that is not assigned to you? Terminology... > For instance, in the example you provide, how do we guarantee that Joe > Cracker hasn't 0wn3d the DNS server(s) that the computer in Nether > Wallop is referencing? DNS is used less than you think. The Nether Wallop computer gets a connection from an IP address, and replies to that IP address. It may do a reverse DNS lookup, but unless that's used for hosts.allow or for logging, it doesn't actually need it for the connection. SSH certainly works where there is no DNS, no reverse DNS, and (presumably) where you have one domain name pointing at mutliple IP addresses. > Or that he hasn't simply 0wn3d the box in > Henley-on-Todd and thinks he has covered his tracks, so that he doesn't > care whether the box in Australia gets removed from the 'net? If he has compromised the box, he can remove it from the net quite happily *anyway*. He could, I suppose, set up a system whereby the Power Cable computer sent a packet as if from the Australian computer. The UK server would receive it and respond to the Australian computer, which would send it on somehow to the Power Cable computer. But this doesn't buy him much: while he's using such a set-up, his inbound packets are blocked after they trip the lockout (they look as though they come from the cracked Australian computer). He does still have his own, valid, IP address to use. So he's got himself two IP addresses to "throw away". But he had that anyway: it would have been much simpler simply to have probed from the Australian computer in the first place. Now if you're suggesting that Joe Cracker has a network of compromised hosts, and can try things from one after another until he finds a valid connection, then you've got a better point. And I shouldn't be surprised if determined crackers do try different probes from different machines, simply to help them cover their traces. (In my experience, too, casual crackers will try a particular probe against a wide swathe of computers. Then if they want to try another probe, they'll look at another swathe. It takes more than a single probe for most sysadmins to report it, and it takes reports of more than one probe for ISPs to care about it. The casual cracker will feel, accurately, that it's very unlikely that there'll be enough complaints against him for any action to be taken. Such is life on the Net in the twenty-first century...) James. -- E-mail address: james | ... in our completely unscientific usability study, @westexe.demon.co.uk | it took our subjects less than 10 seconds to locate | the Solitaire game. We're not sure what else the | corporate desktop needs. -- Michael Hall, Serverwatch