[MUD-Dev] Grief players with ip/dns spoofers

J C Lawrence claw at 2wire.com
Fri Jul 13 15:32:54 CEST 2001


On Thu, 12 Jul 2001 22:08:33 -0700 
Sean Kelly <sean at ffwd.cx> wrote:
> From: "Tand'a-ur" <tandaur at ix.netcom.com>

>> Hi, long time lurker here...

<bow>

>> and I've just about had it with a few troublemakers that like to
>> frequent my MUD.  Banning doesn't work because they have ip
>> spoofers and will just come back with another made up ip. I was
>> wondering if there is a way to detect a phony ip and just flat
>> out deny connections to them.

> Unless I'm misinformed, there is no way to maintain an interactive
> session with a spoofed IP.  

As you allude later (I'm just adding specifics) the standard way is
to bounce the connection through an unsecured SOCKs proxy (eg one of
the many thousands of broken WinGate boxes out there) and from there
to the target system.  If the cracker is especially paranoid he may
bounce through a series of such SOCKs redirectors thus retaining the
ability to build full TCP sessions.

> What happens is that the response packets go to whatever that IP
> is and not back to the originator.

Not if one of the routers between your server and them has been
compromised to rewrite the packets to their real IP.

--
J C Lawrence                               ("`-''-/").___..--''"`-._         
---------(*)                                 `6_ 6  )   `-.  (     ).`-.__.`)
claw at kanga.nu                               (_Y_.)'  ._   )  `._ `. ``-..-'  
http://www.kanga.nu/~claw/                _..`--'_..-_/  /--'_.' ,'         
I never claimed I was human             (il),-''  (li),'  ((!.-'           
_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev



More information about the mud-dev-archive mailing list