Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 27 Feb 1997 10:53:44 +0100 (MET)
From:      luc.lewy@vz.cit.alcatel.fr (Luc.LEWY)
To:        adrian@obiwan.aceonline.com.au (Adrian Chadd)
Cc:        chad@txdirect.net, freebsd-questions@freebsd.org
Subject:   Re: Spoofed IPs
Message-ID:  <199702270953.KAA06186@bcv64s3e.vz.cit.alcatel.fr>
In-Reply-To: <Pine.BSF.3.95q.960111012112.7014B-100000@obiwan.aceonline.com.au> from "Adrian Chadd" at Jan 11, 96 01:22:40 am
next in thread | previous in thread | raw e-mail | index | archive | help 
Adrian Chadd wrote:
> 
> 
> Do you mean normal IP spoofing or ircd IP spoofing (where the user fakes
> their username, etc) ? ALso, what ircd are you running?

	"IRC hackers" use some real ip spoof programs..
	IP Spoof on an ircd is really easy ;( .. 
	ircd try to accesto the remote host 'identd' to get the login, if
	this remote host does'nt answerd (for any reasons) ircd trust the
	login and hostname in the 'USER' string (not $USER, the USER
	command - RFC1459 -) and from getpeername/getsockname.

-- irc2.9.2/ircd/s_auth.c --
[ snip snip ]

        /* get remote host peer - so that we get right interface -- jrg */
        tlen = ulen = sizeof(us);
        (void)getpeername(cptr->fd, (struct sockaddr *)&them, &tlen);
 
        them.sin_port = htons(113);
        them.sin_family = AF_INET;
 
        /* We must bind the local end to the interface that they connected
           to: The local system might have more than one network address,
           and RFC931 check only sends port numbers: server takes IP addresses
           from query socket -- jrg */
        (void)getsockname(cptr->fd, (struct sockaddr *)&us, &ulen);
        us.sin_port = htons(0);  /* bind assigns us a port */
        us.sin_family = AF_INET;

[ snip snip ]
-- end --

	I was victim of 3 or 4 attacks with such program during hack of the
	#france channel. 
	An ircd couldn't be protected against this.. 
	The only way to protect against this should be an active identd on
	the remote host, and deny access to users whom haven't one.

	I think Mishia (the irc.ru IrcOp) could confirm/infirm this..

> 
> Thanks.
> 
> Adrian.
> 

	fifi...
--
Guezou "fifi..." Philippe		email:	guezou_p@epita.fr
						pguezou@iway.fr
						luc.lewy@vz.cit.alcatel.fr
	*** M$-Windows is not a Virus - Viruses do something ***

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702270953.KAA06186>