Security Basics mailing list archives

RE: Trusting localhost?

From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 28 Jul 2003 10:04:02 -0700

  On the contrary, something over 90% (and it could easily be
over 99%...) of routers never even look at SOURCE addresses.
(Luckily, it only takes ONE that does, on the path between the
attacker and you, to block this.)
  Making a TCP connection with a spoofed source address is
hard anyway, and with the loopback address spoofed it's
impossible.  But TCP is not the only choice; UDP doesn't
need or expect a return connection, and sometimes a single
packet is all you need.  (The Slammer worm used a single
UDP packet.  It didn't bother to spoof the source, but if
it had it would still have been effective.)

David Gillett

-----Original Message-----
From: chris [mailto:chris09 () comcast net]
Sent: July 27, 2003 11:39
To: security-basics () securityfocus com
Subject: Re: Trusting localhost?

In-Reply-To: <20030725144443.BC66B44B6 () sitemail everyone net>

Well IP spoofing is still very very effective. But the
chances of someone  from the internet spoofing a 127.0.0.1
source address in a packet and that  packet actually making
it to you is HIGHLY unlikely. Any correctly  configured
router should drop this packet because of its source address.
 Someone from inside the LAN might be able to exploit it
somehow/someway  but the chances are extremely low. There
should be no real reason to goto  great lengths to ensure the
validity of the packets as the chances of  someone spoofing
with this source address and actually exploiting your
application are like i said really low. --chris
http://elusive.filetap.com   >Received: (qmail 20693 invoked
from network); 25 Jul 2003 15:27:22 -0000 >Received: from
outgoing2.securityfocus.com (205.206.231.26) >  by
mail.securityfocus.com with SMTP; 25 Jul 2003 15:27:22 -0000

Received: from lists.securityfocus.com

(lists.securityfocus.com  [205.206.231.19]) > by
outgoing2.securityfocus.com (Postfix) with QMQP >     id
6559A8F3F5; Fri, 25 Jul 2003 09:28:56 -0600 (MDT)

Mailing-List: contact

security-basics-help () securityfocus com; run by ezmlm

Precedence: bulk >List-Id:

<security-basics.list-id.securityfocus.com> >List-Post:
<mailto:security-basics () securityfocus com> >List-Help:
<mailto:security-basics-help () securityfocus com>

List-Unsubscribe:

<mailto:security-basics-unsubscribe () securityfocus com>

List-Subscribe:

<mailto:security-basics-subscribe () securityfocus com> >Delivered-To: mailing
list security-basics () securityfocus com >Delivered-To: moderator for
security-basics () securityfocus com >Received: (qmail 8748 invoked from
network); 25 Jul 2003 14:48:04 -0000 >Content-Type: text/plain

Content-Disposition: inline >Content-Transfer-Encoding: 7bit >Mime-Version:

1.0 >X-Mailer: MIME-tools 5.41 (Entity 5.404) >Date: Fri, 25 Jul 2003
07:44:43 -0700 (PDT) >From: Craig Minton <CraigSecurity () blazemail com> >To:
security-basics () securityfocus com >Subject: Trusting localhost? >Reply-To:
CraigSecurity () blazemail com >X-Originating-Ip: [204.167.177.68] >Message-Id:
<20030725144443.BC66B44B6 () sitemail everyone net> > >If you are creating an
application that communicates using TCP, but only > want to take requests
from the localhost, are there reasons why you  >would not want to check that
the incoming request is from localhost and  >then trust it?  This is in a
Windows environment.  Would IP spoofing  >work if the application was
checking for the IP address 127.0.0.1?  If  >so, how likely is it that IP
spoofing would work today, in a corporate  >environment? > >Thank you for
any direction you can provide. > > >

_____________________________________________________________ >Fight the

power!  BlazeMail.com >

--------------------------------------------------------------------------

--------------------------------------------------------------------------

-- > >
---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Trusting localhost? Craig Minton (Jul 25)
- Re: Trusting localhost? Birl (Jul 28)
- Re: Trusting localhost? Jude Naidoo (Jul 28)
- <Possible follow-ups>
- Re: Trusting localhost? DownBload (Jul 28)
- Re: Trusting localhost? chris (Jul 28)
  - RE: Trusting localhost? David Gillett (Jul 28)