Best IP Spoofing defense? - GoFuckYourself.com

Nick · 04-08-2003, 09:23 AM

IP Spoofing: A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host.

The http protocol was not designed for security..
I played a basic IP spoofer & it scared the shit out of me..
TONS of sites/video feeds are indeed insecure..

What is the best defense?

No Replies.. hmmm.. I didn't think there would be any.. Looks like a fix-it script would make bank!!!

The huge security holes remind me of what started all the password sites..

buran · 04-08-2003, 10:09 AM

Just ignore ip source-routes in all your packets, have the routers do their damn job.

How would IP spoofing make video viewable? Are you sure you're not thinking of HTTP Referer spoofing?

b.

Nick · 04-08-2003, 10:14 AM

Quote:

Are you sure you're not thinking of HTTP Referer spoofing?

Yes that's what I meant..

buran · 04-08-2003, 10:22 AM

Well there's a goddamn big difference between the two.

Yes, http referring spoofing is a problem. There are solutions, but like most things HTTP related they're ugly. Your best option is to setup and use transparent session handling, like PHP does native since PHP4. (or was it 3?) If the user has cookies disabled all your URL's are rewritten to include the sessionid in the request.

No HTTP referer checking for intra-site authentication is just stupid. The real problem is in inter-site handoffs of authenticated users. This is problem which still needs a proper solution.

JDog · 04-08-2003, 10:37 AM

Quote:

Originally posted by Nick

What is the best defense?

No Replies.. hmmm.. I didn't think there would be any.. Looks like a fix-it script would make bank!!!

The huge security holes remind me of what started all the password sites..

There is no real defense. What I had to do for our plugin page, is make a lock and key script. I made a script that made a md5 encrypted hash. It had the users class c ip address and then it took the day of the month (30) and the hour (1-24). And the script is put on the clients computer ie, teeniestars.com and then when ever a user clicks on that script it makes the hash and sends it over in a variable userid and when they get to our server, our server takes that information, the class c, hour and day of the month and md5 and compare both of them. That way nobody could have the same identical user id's at the same time.

HTTP Referering doesn't work. Not every browser sends the same referer information. Some don't send any information at all. So that isn't the best way to go.

JDog

NetRodent · 04-08-2003, 10:38 AM

Referrer based authentication is just plain stupid. Especially if your feed suppier charges you for bandwidth. Unfortunately most suppliers and customers seem more concerned with ease of setup than security.

Holio used to offer (and may still) a token based authentication system for some of their feeds (but you had to ask for it). If I recall correctly, you had to pass your account number, the current time, and a hash of the preceeding and a shared secret. Seemed to work pretty well.

JDog · 04-08-2003, 10:50 AM

It works great for us. We have not been hacked once, since I programmed the new security just over a year ago. It works great. I would never go with referers. HTTP spoofing is so easy. We use to get hacked all the time.

JDog

buran · 04-08-2003, 11:07 AM

JDog, have you had any problems with getting your client to implement it? How much work is involved for you on ever new client?

Presumably you have a private key involved, or what stops someone from taking your description above and h4x0ring it now?

IGallery now offers this setup on their feeds as well.

b.

p00p · 04-08-2003, 11:13 AM

Check this out.
http://www.paysitepowertools.com/os-multimodauth.html

This guy posts on here, but doesn't seem to push his software. It seems like a valid solution, although the price sucks ass. On the other hand, anyone using referrer based protection knows what a PITA it can be. Especially with surfers who's ISP blocks referral headers. ;) So the price may be reasonable if your have enough bitchy members, and referral spoofers.

JDog · 04-08-2003, 11:45 AM

Quote:

Originally posted by buran
JDog, have you had any problems with getting your client to implement it? How much work is involved for you on ever new client?

Presumably you have a private key involved, or what stops someone from taking your description above and h4x0ring it now?

IGallery now offers this setup on their feeds as well.

b.

buran,

It is my own secret key with the elements involed, I do have other things that multiply into the hash, which I'm not going to post the exact hash here. But with every new client all I have to do is edit the one line of the script that I made for clients before I give it to them. The perl script that I made is aprox 12 lines. If the client wants a php script, it is aprox 3 lines. I think I implemented this in about 1 days work. And the whole program works. If you want to catch me online, my ICQ is 177385133. I will let you know more, but for security reasons, I won't go into details about my script.

JDog

Nick · 04-08-2003, 11:48 AM

Icqin' u shortly Jdog

04-08-2003, 09:23 AM	#1
Nick Registered User Join Date: Jan 2001 Location: Bootypest Posts: 259	Best IP Spoofing defense? IP Spoofing: A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. The http protocol was not designed for security.. I played a basic IP spoofer & it scared the shit out of me.. TONS of sites/video feeds are indeed insecure.. What is the best defense? No Replies.. hmmm.. I didn't think there would be any.. Looks like a fix-it script would make bank!!! The huge security holes remind me of what started all the password sites.. Last edited by Nick; 04-08-2003 at 09:37 AM..

04-08-2003, 10:09 AM	#2
buran Confirmed User Join Date: Mar 2002 Location: how'd I get here? Posts: 264	Just ignore ip source-routes in all your packets, have the routers do their damn job. How would IP spoofing make video viewable? Are you sure you're not thinking of HTTP Referer spoofing? b. __________________ [this signature intentionally left blank]

04-08-2003, 10:22 AM	#4
buran Confirmed User Join Date: Mar 2002 Location: how'd I get here? Posts: 264	Well there's a goddamn big difference between the two. Yes, http referring spoofing is a problem. There are solutions, but like most things HTTP related they're ugly. Your best option is to setup and use transparent session handling, like PHP does native since PHP4. (or was it 3?) If the user has cookies disabled all your URL's are rewritten to include the sessionid in the request. No HTTP referer checking for intra-site authentication is just stupid. The real problem is in inter-site handoffs of authenticated users. This is problem which still needs a proper solution. __________________ [this signature intentionally left blank]

04-08-2003, 10:38 AM	#6
NetRodent Confirmed User Join Date: Jan 2002 Location: In the walls of your house. Posts: 3,985	Referrer based authentication is just plain stupid. Especially if your feed suppier charges you for bandwidth. Unfortunately most suppliers and customers seem more concerned with ease of setup than security. Holio used to offer (and may still) a token based authentication system for some of their feeds (but you had to ask for it). If I recall correctly, you had to pass your account number, the current time, and a hash of the preceeding and a shared secret. Seemed to work pretty well. __________________ "Every normal man must be tempted, at times, to spit on his hands, hoist the black flag, and begin slitting throats." --H.L. Mencken

04-08-2003, 11:07 AM	#8
buran Confirmed User Join Date: Mar 2002 Location: how'd I get here? Posts: 264	JDog, have you had any problems with getting your client to implement it? How much work is involved for you on ever new client? Presumably you have a private key involved, or what stops someone from taking your description above and h4x0ring it now? IGallery now offers this setup on their feeds as well. b. __________________ [this signature intentionally left blank]

04-08-2003, 10:50 AM	#7
JDog Confirmed User Join Date: Feb 2003 Location: Canby, OR Posts: 7,453	It works great for us. We have not been hacked once, since I programmed the new security just over a year ago. It works great. I would never go with referers. HTTP spoofing is so easy. We use to get hacked all the time. JDog

04-08-2003, 11:13 AM	#9
p00p Confirmed User Join Date: Dec 2002 Location: CanaDUH Posts: 5,125	Check this out. http://www.paysitepowertools.com/os-multimodauth.html This guy posts on here, but doesn't seem to push his software. It seems like a valid solution, although the price sucks ass. On the other hand, anyone using referrer based protection knows what a PITA it can be. Especially with surfers who's ISP blocks referral headers. ;) So the price may be reasonable if your have enough bitchy members, and referral spoofers. __________________ ICQ: 316365783 <a href="http://www.hostultra.com/~p00p" target="_blank">TEST</a>

04-08-2003, 11:48 AM	#11
Nick Registered User Join Date: Jan 2001 Location: Bootypest Posts: 259	Icqin' u shortly Jdog