Comments on: Dr. Clayton’s thesis http://projectglop.com/2006/11/23/dr-claytons-thesis/ Unwanted Information Mon, 23 Feb 2009 16:41:47 +0000 hourly 1 http://wordpress.org/?v=3.0.4 By: gavin http://projectglop.com/2006/11/23/dr-claytons-thesis/comment-page-1/#comment-29 gavin Thu, 23 Nov 2006 18:29:36 +0000 http://projectglop.com/?p=28#comment-29 Thanks for that Colm ! Any mistakes are mine and in fact Dr. Clayton makes all the points that you make in his thesis. Thanks for that Colm ! Any mistakes are mine and in fact Dr. Clayton makes all the points that you make in his thesis.

]]> By: Colm MacCarthaigh http://projectglop.com/2006/11/23/dr-claytons-thesis/comment-page-1/#comment-28 Colm MacCarthaigh Thu, 23 Nov 2006 16:49:02 +0000 http://projectglop.com/?p=28#comment-28 TCP ACK's and sequences numbers are not a mitigation against IP spoofing, they are designed to mitigate TCP stream spoofing. That some IP-spoofing is provided is incidental (other stream oriented protocols, like SCTP, do not have a direct IP port tuple either). True protection against IP spoofing is really things like unicast Reverse Path Forwarding, which is bit by bit being deployed on the global internet. No credible software should ever rely on single reverse lookups, so called double-lookups (where another forward lookup is performed on whatever the reverse resolved to) are a simple and generally effective (modulo compound DNS cache poisoning) mechanism of mitigating these mis-directed lookups. Apache httpd, and the log analysis tools which come with it (logresolve), can perform double-lookups when DNS lookups are enabled (and they are disabled completely by default). Just use; HostnameLookups Double TCP ACK’s and sequences numbers are not a mitigation against IP spoofing, they are designed to mitigate TCP stream spoofing. That some IP-spoofing is provided is incidental (other stream oriented protocols, like SCTP, do not have a direct IP port tuple either).

True protection against IP spoofing is really things like unicast Reverse Path Forwarding, which is bit by bit being deployed on the global internet.

No credible software should ever rely on single reverse lookups, so called double-lookups (where another forward lookup is performed on whatever the reverse resolved to) are a simple and generally effective (modulo compound DNS cache poisoning) mechanism of mitigating these mis-directed lookups. Apache httpd, and the log analysis tools which come with it (logresolve), can perform double-lookups when DNS lookups are enabled (and they are disabled completely by default). Just use;

HostnameLookups Double

]]>