lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040922203047.GA16153@nenya.lan>
Date: Wed, 22 Sep 2004 22:30:47 +0200
From: fenfire@...esend.de
To: Tim Newsham <newsham@...a.net>, bugtraq@...urityfocus.com
Subject: Re: ICMP spoofed source tunneling


On Wed, Sep 22, 2004 at 10:06:40AM -1000, Tim Newsham wrote:
> How does this give anonymity?  When sending to the server, I must use the
> servers address as a source address.  When the server replies to me, it
> must use my address as a source address.

Yes - you cannot use this in both directions:

 - In the server->client direction, the server can spoof IP source 
   addresses.

 - In the client->server direction, you need to use multi-level "anonymous 
   proxying", as used by several current P2P implementations (Gnutella for
   queries, Freenet, GNUnet etc).

The advantage of this is that the available bandwidth can be fully utilized
in the server->client direction, but at the same time the server IP address
can remain unknown to the client. With current P2P systems, server->client
proxying significantly reduces the download bandwidth.

In practice, implementing this will be fairly complicated because you end
up re-implementing TCP over a highly asymmetric connection.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ