Gammon Software Solutions forum

See www.mushclient.com/spam for dealing with forum spam. Please read the MUSHclient FAQ!

Entire forum
SMAUG
SMAUG coding
IP spoofing

Home \| Users \| Search \| FAQ
Username:	Register forum user name
Password:	Forgotten password?

(New message)

Subject:	IP spoofing
Name:	Your forum user name. Register forum user name
Password:	Your forum password. Forgotten password?
Message:	[quote=Rogel] How do you know they are spoofing ips? Could it be that they are just proxying through something like SOCKS or connecting through a remote shell? If they are connecting through a remote shell, then there is not much that you can really do besides for watching for collusion or maybe checking if the ip comes from a known shell host. If they are proxying through SOCKS, you can always check to see if the connecting system is running SOCKS, since it commonly uses certain ports like 1080. However, if a SOCKS port can not be found or they are using some weird proxy protocol, then checking for collusion is probably the best method. [/quote] Message to be posted (in English, please).
Forum codes:	Check this if your message uses 'forum codes' or templates (auto-detected for new posts). Forum codes Templates

Save this message ...

Subject review (reverse sequence)

Posted by

Gatewaysysop2 USA (142 posts)

bio

Date

Mon 08 Nov 2004 06:36 AM (UTC) [ quote ]

Message

Good reading Nick, thanks for the links. Anavel is right, this sorta thing does give you the creeps. :P

"The world of men is dreaming, it has gone mad in its sleep, and a snake is strangling it, but it can't wake up." -D.H. Lawrence

top

Posted by

Anavel Mexico (124 posts)

bio

Date

Sun 07 Nov 2004 02:50 AM (UTC) [ quote ]

Message

Wow. After reading those two pages now I'm kinda scared about the internet. :o

top

Posted by

Nick Gammon Australia (18,769 posts)

bio Forum Administrator

Date

Sat 06 Nov 2004 08:32 PM (UTC) [ quote ]

Amended on Sun 07 Nov 2004 06:04 AM (UTC) by Nick Gammon

Message

I don't quite see how someone can "spoof" an IP address in this context. Normally hosts respond by returning to the IP address in the packet header. If you spoof it (which you can if you try) the response goes to someone else.

The thing that is checked once is domain-name resolution, where an address like 1.2.3.4 gets translated into a name (like myhost.org).

Read http://www.grc.com/dos/drdos.htm, it is a rattling good yarn about attacks and spoofs.

I think on that page, or a nearby one (http://www.grc.com/dos/grcdos.htm), the fellow who wrote it, who runs a company that specialises in Internet security, admitted that if someone really wanted to "get him" they could (by using thousands of "zombie" PCs that they control through trojan horses and viruses) and that he couldn't stop them. Basically in the end he managed to find the person responsible and had to ask him nicely to stop. Read it and you'll see why.

I recommend you read both those pages, they are well laid out and fascinating.

I don't think you can do much about it. Even detecting people with the *same* IP address can fail with false positives. Say 100 people are behind a NAT router, they will all have the same IP address, but could actually be 100 different players, all sitting at different PCs.

- Nick Gammon

www.gammon.com.au, www.mushclient.com

top

Posted by

Greven Canada (835 posts)

bio

Date

Fri 05 Nov 2004 07:24 AM (UTC) [ quote ]

Amended on Fri 05 Nov 2004 07:43 AM (UTC) by Greven

Message

The person told us that he was spoofing. As for checking for collusion, is there somewhere that may have some information on this? I am severly inexperienced in network connections.

As I understand it, spoofing is changing the 13-20th bytes of an IP packet. I don't know if that can be detected within the confines of a mud code, but...

I don't know if this can be done, as I understand that this would cause problems with sending the information to the wrong place, though the host is only checked once and then allocated into a string, as I understand it.

Nobody ever expects the spanish inquisition!

darkwarriors.net:4848
http://darkwarriors.net

top

Posted by

Rogel USA (5 posts)

bio

Date

Fri 05 Nov 2004 06:49 AM (UTC) [ quote ]

Message

How do you know they are spoofing ips? Could it be that they are just proxying through something like SOCKS or connecting through a remote shell?

If they are connecting through a remote shell, then there is not much that you can really do besides for watching for collusion or maybe checking if the ip comes from a known shell host.

If they are proxying through SOCKS, you can always check to see if the connecting system is running SOCKS, since it commonly uses certain ports like 1080. However, if a SOCKS port can not be found or they are using some weird proxy protocol, then checking for collusion is probably the best method.

Rogel's Intermud Laboratory: http://rogel.mudworld.org
Immortal University: http://www.mudworld.org/ImmU
Intermud Forum: http://www.intermud.org/forum/
OpenIMC Intermud Communication Network: http://www.openimc.org

top

Posted by

Greven Canada (835 posts)

bio

Date

Fri 05 Nov 2004 04:35 AM (UTC) [ quote ]

Amended on Fri 05 Nov 2004 07:42 AM (UTC) by Greven

Message

I was wondering if anyone has by any chance got any advice on how to stop people from multiplay when they are spoofing ip's. Kinda screws up the ban code. I understand that there is something inheriently difficult in detecting this, but maybe someone knows a way to get around it.

Nobody ever expects the spanish inquisition!

darkwarriors.net:4848
http://darkwarriors.net

top

The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).

To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.

2,447 views.

Reply to this subject Start a new subject Refresh page

Go to topic: Search the forum

top

Comments to: Gammon Software support
Forum RSS feed ( http://www.gammon.com.au/rss/forum.xml )