[Home] [Downloads] [Search] [Help/forum]

Gammon Software Solutions forum

See www.mushclient.com/spam for dealing with forum spam. Please read the MUSHclient FAQ!

[Folder]  Entire forum
-> [Folder]  SMAUG
. -> [Folder]  SMAUG coding
. . -> [Subject]  IP spoofing
Home  |  Users  |  Search  |  FAQ
Username:
Register forum user name
Password:
Forgotten password?
(New message)
Subject: IP spoofing
Name:
Your forum user name.
Register forum user name
Password:
Your forum password.
Forgotten password?
Message:
Message to be posted (in English, please)
Maximum of 6000 characters. Text only please, no HTML.
Forum codes:
Check this if your message uses 'forum codes' or templates (auto-detected for new posts).
Forum codes Templates

Save this message ...

Subject review (reverse sequence)

Posted by Gatewaysysop2   USA  (142 posts)  [Biography] bio
Date Mon 08 Nov 2004 06:36 AM (UTC)  quote  ]
Message
Good reading Nick, thanks for the links. Anavel is right, this sorta thing does give you the creeps. :P
"The world of men is dreaming, it has gone mad in its sleep, and a snake is strangling it, but it can't wake up." -D.H. Lawrence
[Go to top] top
Posted by Anavel   Mexico  (124 posts)  [Biography] bio
Date Sun 07 Nov 2004 02:50 AM (UTC)  quote  ]
Message
Wow. After reading those two pages now I'm kinda scared about the internet. :o
[Go to top] top
Posted by Nick Gammon   Australia  (18,772 posts)  [Biography] bio   Forum Administrator
Date Sat 06 Nov 2004 08:32 PM (UTC)  quote  ]

Amended on Sun 07 Nov 2004 06:04 AM (UTC) by Nick Gammon

Message

I don't quite see how someone can "spoof" an IP address in this context. Normally hosts respond by returning to the IP address in the packet header. If you spoof it (which you can if you try) the response goes to someone else.

The thing that is checked once is domain-name resolution, where an address like 1.2.3.4 gets translated into a name (like myhost.org).

Read http://www.grc.com/dos/drdos.htm, it is a rattling good yarn about attacks and spoofs.

I think on that page, or a nearby one (http://www.grc.com/dos/grcdos.htm), the fellow who wrote it, who runs a company that specialises in Internet security, admitted that if someone really wanted to "get him" they could (by using thousands of "zombie" PCs that they control through trojan horses and viruses) and that he couldn't stop them. Basically in the end he managed to find the person responsible and had to ask him nicely to stop. Read it and you'll see why.

I recommend you read both those pages, they are well laid out and fascinating.

I don't think you can do much about it. Even detecting people with the *same* IP address can fail with false positives. Say 100 people are behind a NAT router, they will all have the same IP address, but could actually be 100 different players, all sitting at different PCs.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
[Go to top] top
Posted by Greven   Canada  (835 posts)  [Biography] bio
Date Fri 05 Nov 2004 07:24 AM (UTC)  quote  ]

Amended on Fri 05 Nov 2004 07:43 AM (UTC) by Greven

Message
The person told us that he was spoofing. As for checking for collusion, is there somewhere that may have some information on this? I am severly inexperienced in network connections.

As I understand it, spoofing is changing the 13-20th bytes of an IP packet. I don't know if that can be detected within the confines of a mud code, but...

I don't know if this can be done, as I understand that this would cause problems with sending the information to the wrong place, though the host is only checked once and then allocated into a string, as I understand it.
Nobody ever expects the spanish inquisition!

darkwarriors.net:4848
http://darkwarriors.net
[Go to top] top
Posted by Rogel   USA  (5 posts)  [Biography] bio
Date Fri 05 Nov 2004 06:49 AM (UTC)  quote  ]
Message
How do you know they are spoofing ips? Could it be that they are just proxying through something like SOCKS or connecting through a remote shell?

If they are connecting through a remote shell, then there is not much that you can really do besides for watching for collusion or maybe checking if the ip comes from a known shell host.

If they are proxying through SOCKS, you can always check to see if the connecting system is running SOCKS, since it commonly uses certain ports like 1080. However, if a SOCKS port can not be found or they are using some weird proxy protocol, then checking for collusion is probably the best method.
Rogel's Intermud Laboratory: http://rogel.mudworld.org
Immortal University: http://www.mudworld.org/ImmU
Intermud Forum: http://www.intermud.org/forum/
OpenIMC Intermud Communication Network: http://www.openimc.org
[Go to top] top
Posted by Greven   Canada  (835 posts)  [Biography] bio
Date Fri 05 Nov 2004 04:35 AM (UTC)  quote  ]

Amended on Fri 05 Nov 2004 07:42 AM (UTC) by Greven

Message
I was wondering if anyone has by any chance got any advice on how to stop people from multiplay when they are spoofing ip's. Kinda screws up the ban code. I understand that there is something inheriently difficult in detecting this, but maybe someone knows a way to get around it.
Nobody ever expects the spanish inquisition!

darkwarriors.net:4848
http://darkwarriors.net
[Go to top] top

The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).

To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.

2,456 views.

[Reply to this subject]  Reply to this subject   [New subject]  Start a new subject   [Refresh] Refresh page

Go to topic:           Search the forum

[Go to top] top

[Home]

Written by Nick Gammon - 5K

Comments to: Gammon Software support
[RH click to get RSS URL] Forum RSS feed ( http://www.gammon.com.au/rss/forum.xml )

[Best viewed with any browser - 2K]    [Internet Contents Rating Association (ICRA) - 2K]    [Web site powered by FutureQuest.Net]