On Wed, Jun 17, 2009 at 4:31 PM, Tyler Close<[email protected]> wrote: > 2009/6/17 Adam Barth <[email protected]>: >> I'd classify this as moderately difficult. It's not something I can do for >> $5, but given a few hundred dollars, I can probably do it. Recall that >> sending an HTTP request requires a full TCP handshake, so its not as easy as >> SYN flooding. >> >> Adam > > And also: > > http://en.wikipedia.org/wiki/IP_address_spoofing
Wikipedia seems disagree with your point that IP-based authenication is inherently broken. From that page: "IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses. This method of attack on a remote system can be extremely difficult, as it involves modifying thousands of packets at a time." I'm not sure "extremely difficult" is the characterization I'd use, but the reality is that some number of services use IP-based authenication. In some cases, it's a bad idea. In other cases, like the ACM digital library, it works quite well. Adam
