-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 André,
On 4/30/15 2:39 PM, André Warnier wrote: > Christopher Schultz wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> Paul, >> >> On 4/30/15 3:24 AM, Paul Klinkenberg wrote: >>> I never knew the remote_addr could not be trusted, but I >>> believe you at once when you say so. >>> >>> I thought it was taken from the actual socket connection. With >>> the exception of ajp by the way, where it is programmatically >>> changed to reflect the remote client while handling the http >>> call. Out of curiosity, could you shed some light as to why the >>> remote_addr is not to be trusted in a regular http request? >> >> The client can spoof the source IP in the packet headers. >> > > This is not on-topic, but since the point has been raised, and > since there are many smart people on this list.. > > I am probably not very clever in a hacking kind of way, but I have > never been able to figure out how a client could make use of this > to actually achieve something with TCP. Setting up a TCP connection > requires a couple of packet exchanges *back and forth*. So, the > client can indeed send a first SYN packet to a server, with a > spoofed origin IP address. But then the server would return the > ACK packet to that spoofed IP address, which is presumably not the > real client's one, wouldn't it ? What good would that be to the > malevolent client ? Unless the point is only to flood a server's > TCP stack with connection requests which never can get completed.. > If anyone has a clue as to how this can be really exploited, I'm > eager to learn. http://en.wikipedia.org/wiki/IP_address_spoofing The "Background" section mentions your point. Doing this with SSL is not really possible, unless the attacker controls a part of the network through which all packets flow, and can intercept packets regardless of their destination. If the attacker is on your network, of course, it's already over. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQ5dhAAoJEBzwKT+lPKRYnRcQAJyJU/bX48esbAbOqZqcIY4C QY2P7HqemcPjamBEIO1a4wH9o7C1TFy/+ZxY2pZrpP+67NWH7KgtzMFKcWvDkNrd t5XqmNhuWhz2TesUk77wBrU5+ss5CxU5+Z+t9MSi3qPg61+szfMSHci1fW7rkm7A JtfoQtkMFZavUDrfEia1sS11RQLWMVqHZecRL2S3VPdWmgJJgJHuusr06bAIcdno WiN7+hquDS4YVbAinKlv6RzQVDbPTAWDKLvmRslz9QJTgxGDe64kk9P2r9y8MXzY w8xwKUsMo+0qXPDlbHt+U2ejCnzU8bpl0/zAOKqQIOCht8PIlFZ8hhmXDeJP8GPg mViGx3qW7f6du1K5WBLjcHWcrP3yJNaBPBNXT2sW7DD4bHNQABwkRcTHlA87DsY/ fqEW2X/oQJz/ThxTjhf1wsELyg1Sh4iWHXaQRpfSzEKjFS7yPJW/0Ef4i85voyGq WiAmxcosxW2pr0t7I7wh6zx4XhK0vji5GyU/ZP0huwOVuVS6C+H0TWmitzswiQKs joa7C9txTDvX1hPzvym9JCg/XQNaoEVmIMJ6Bui+tWAGcjnbSImRUAQI+W7+XBb4 6eKJlCTWinF9BG02/rStlD/imZUGAYETs/yg59xdV/VeNPhgU5ag1iJOV2m5+nnR Z8qnngujiabvHF2W/yQI =ze9i -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org