[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040922203047.GA16153@nenya.lan>
Date: Wed, 22 Sep 2004 22:30:47 +0200
From: fenfire@...esend.de
To: Tim Newsham <newsham@...a.net>, bugtraq@...urityfocus.com
Subject: Re: ICMP spoofed source tunneling
On Wed, Sep 22, 2004 at 10:06:40AM -1000, Tim Newsham wrote:
> How does this give anonymity? When sending to the server, I must use the
> servers address as a source address. When the server replies to me, it
> must use my address as a source address.
Yes - you cannot use this in both directions:
- In the server->client direction, the server can spoof IP source
addresses.
- In the client->server direction, you need to use multi-level "anonymous
proxying", as used by several current P2P implementations (Gnutella for
queries, Freenet, GNUnet etc).
The advantage of this is that the available bandwidth can be fully utilized
in the server->client direction, but at the same time the server IP address
can remain unknown to the client. With current P2P systems, server->client
proxying significantly reduces the download bandwidth.
In practice, implementing this will be fairly complicated because you end
up re-implementing TCP over a highly asymmetric connection.
Powered by blists - more mailing lists