httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s...@conman.org (Sean Conner)
Subject Re: [users@httpd] Different security based on network interface
Date Tue, 13 Sep 2005 22:11:27 GMT

> AragonX wrote:
> 
> > I'm afraid someone will spoof the IP addresses of the internal network
> > to bypass this security measure.

  I don't see how that's possible.  Given the following:

	M	- malicious hacker at address M
	W	- webserver
	I	- internal network machine

  M will send the following packet:

	M	->	SRC I:1234 DST W:80 SYN (ie. establish a connection)

  Assuming the packet makes it through, W will then respond:

	W	->	SRC W:80 DST: I:1234 SYN ACK

  But this will go to I, NOT back to M.  I will get this packet and will
drop it since no connection is actually being made.  Even if M can guess the
TCP sequence numbers to "fake" a connection, it still a one-way connection
where M can send packets to W, but W cannot send packets back to M (since W
thinks they're coming from I and sends its reponses back to I).

  -spc 




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message