A Progammer explores the IT Security field; offering packets of useful information he picks up along the way.
Subscribe

Archive for the ‘TCP/IP Basics’

My question on Security Now Podcast! Episode #116

November 05, 2007 By: Ron Category: TCP/IP Basics 1 Comment →

This is very exciting for me. A question I submitted was read on the security now podcast. See the transcript below.

Leo: Ron Goodbin of Clifton, New Jersey needs some IP spoofing clarification. Steve, you’ve talked about how when a client establishes a TCI/IP connection to a server, there’s no way the client can spoof their IP. When a client establishes a connection to a server, there’s no way the client can spoof their IP. If so, what is an IP spoofing attack? Is there absolutely no way someone can fake their IP when you’ve established a TCP/IP connection? Some clarity on this would be much appreciated. Well, he raises a good issue. I thought you could spoof an IP.

Steve: Nope, not with a TCP connection. The reason is, the way a connection is made is…

Leo: Oh, it has to get back to you. Steve: Exactly. It’s that three-way handshake. It requires two roundtrips, that is, the so-called SYN packet, short for “synchronized,” that goes from the client that’s initiating the connection to the server that has the open port which is waiting for the connection. The server receives that, and it sends back its SYN/ACK, which is to say its own SYN packet combined with an ACK, an acknowledgement of the receipt of the client SYN. Well, it sends it back to the IP that was the source IP on the packet coming in is now the destination IP on that SYN/ACK going back out. If that were a spoofed IP from the original sender, then the SYN/ACK would be sent to that spoofed IP, not back to the sender. So, while, sure, you’re able to spoof incoming SYN packets, and that is in fact what a spoofed IP attack is, is just flooding a server with random, made-up…

Leo: Because you don’t care about the return.

Steve: Exactly. You’re not trying – there you’re trying to do an attack, a bandwidth attack on the server. You’re not trying to actually establish connections. So in order to establish a connection you have to be sending the packet from a valid IP. And then the SYN/ACK comes back to that IP, and that’s the second leg of the three-way handshake. And finally, the client sends its acknowledgement packet back to the server. And the beautiful thing about that is that, from the original designers of the Internet, that requires two roundtrips, one from the client to the server and back, one from the server to the client and back. And that verifies that the routing between those two endpoints is in place for packets traveling in both directions. So it makes sure that everything is intact, and it does validate and verify the IP addresses of each endpoint.

Shelfari: Book reviews on your book blog