From owner-freebsd-questions Thu Feb 27 01:56:21 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id BAA15978 for questions-outgoing; Thu, 27 Feb 1997 01:56:21 -0800 (PST) Received: from alcatel.fr (gatekeeper.alcatel.fr [194.133.58.131]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id BAA15973 for ; Thu, 27 Feb 1997 01:56:16 -0800 (PST) Received: from alcatel.fr (gatekeeper-ssn.alcatel.fr [155.132.180.244]) by mailgate.alcatel.fr (8.8.5/8.8.5) with ESMTP id MAA05554; Thu, 27 Feb 1997 12:00:53 +0100 Received: from dnscit.cit.alcatel.fr (dnscit.cit.alcatel.fr [139.54.100.2]) by nsfhh5.alcatel.fr (8.7.3/8.7.3) with SMTP id KAA14633; Thu, 27 Feb 1997 10:55:29 +0100 (MET) Received: from dnsvz.vz.cit.alcatel.fr by dnscit.cit.alcatel.fr (SMI-8.6/SMI-SVR4) id KAA17370; Thu, 27 Feb 1997 10:57:47 +0100 Received: from bcv64s3e.vz.cit.alcatel.fr by dnsvz.vz.cit.alcatel.fr (SMI-8.6/SMI-SVR4) id KAA09602; Thu, 27 Feb 1997 10:41:37 +0100 Received: from bcv64wc1.velizy by bcv64s3e.vz.cit.alcatel.fr (SMI-8.6/SMI-SVR4) id KAA06186; Thu, 27 Feb 1997 10:53:45 +0100 From: luc.lewy@vz.cit.alcatel.fr (Luc.LEWY) Message-Id: <199702270953.KAA06186@bcv64s3e.vz.cit.alcatel.fr> Subject: Re: Spoofed IPs To: adrian@obiwan.aceonline.com.au (Adrian Chadd) Date: Thu, 27 Feb 1997 10:53:44 +0100 (MET) Cc: chad@txdirect.net, freebsd-questions@freebsd.org In-Reply-To: from "Adrian Chadd" at Jan 11, 96 01:22:40 am MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Adrian Chadd wrote: > > > Do you mean normal IP spoofing or ircd IP spoofing (where the user fakes > their username, etc) ? ALso, what ircd are you running? "IRC hackers" use some real ip spoof programs.. IP Spoof on an ircd is really easy ;( .. ircd try to accesto the remote host 'identd' to get the login, if this remote host does'nt answerd (for any reasons) ircd trust the login and hostname in the 'USER' string (not $USER, the USER command - RFC1459 -) and from getpeername/getsockname. -- irc2.9.2/ircd/s_auth.c -- [ snip snip ] /* get remote host peer - so that we get right interface -- jrg */ tlen = ulen = sizeof(us); (void)getpeername(cptr->fd, (struct sockaddr *)&them, &tlen); them.sin_port = htons(113); them.sin_family = AF_INET; /* We must bind the local end to the interface that they connected to: The local system might have more than one network address, and RFC931 check only sends port numbers: server takes IP addresses from query socket -- jrg */ (void)getsockname(cptr->fd, (struct sockaddr *)&us, &ulen); us.sin_port = htons(0); /* bind assigns us a port */ us.sin_family = AF_INET; [ snip snip ] -- end -- I was victim of 3 or 4 attacks with such program during hack of the #france channel. An ircd couldn't be protected against this.. The only way to protect against this should be an active identd on the remote host, and deny access to users whom haven't one. I think Mishia (the irc.ru IrcOp) could confirm/infirm this.. > > Thanks. > > Adrian. > fifi... -- Guezou "fifi..." Philippe email: guezou_p@epita.fr pguezou@iway.fr luc.lewy@vz.cit.alcatel.fr *** M$-Windows is not a Virus - Viruses do something ***