Ah, but ip spoofing to a web server using http is not all that easy. The ip
spoofing as described in that wiki article is generally a one-way type of
denial of service attack. The details that article leaves out is that the
spoofed ip address is used on the initial packet that is initiating a
connection, the reply sent from the server is therefore routed back to a
non-existent, or incorrect, source which leaves a partially open connection
hanging. Many repeats with different source addresses leads to the server
running out of ports and denying service to more connections. In this type
of spoofing the connection is never completed so no data can be exchanged,
and no spot can be made.
Spoofing an ip address such that a real connection can be made and data
exchanged is MUCH harder. It requires access to the same network as the
real ip address, or higher level backbone access so you can establish a
false routing path for that address. Either of these would essentially
break the connection for the real user of that ip address since reply data
from a web server or any other connection they established would be
redirected to the fake user. Did you experience hours of no internet
connection from there??
More detailed analysis would require access to the oh2aq web server to see
exactly how their ip address data is extracted for that web page. In this
case it is either someone at ir4t doing the spotting, or someone who REALLY
doesn't like them, knows their ip address, knows that I do reports like this
and how to finger ir4t, knows how to hack the network to fake the ip, and
has way too much time on their hands.
David Robbins K1TTT
e-mail: mailto:k1ttt@arrl.net
web: http://www.k1ttt.net
AR-Cluster node: 145.69MHz or telnet://dxc.k1ttt.net
> -----Original Message-----
> From: cq-contest-bounces@contesting.com [mailto:cq-contest-
> bounces@contesting.com] On Behalf Of i4ufh
> Sent: Friday, March 07, 2008 09:52
> To: cq-contest@contesting.com
> Subject: Re: [CQ-Contest] arrl dx ssb spotting report
>
> Based on the David report all these spots have as IP source address the
> Static IP address of our ADSL connection at IR4T.
>
> First of all thank's to David for these reports, they can help everyone to
> understand how the operators are aware from the networks issues, and how
> these networks are easy to hack.
>
> We are pretty sure that these spot was not generated from our IP address
> that we hold, we were only 2 PC connected on the network, and well Linux
> firewalled, this is sure a good success of a hacking technique called IP
> address spoofing. For more details probable David could be more detailed
> than me, plase take a look at
> http://en.wikipedia.org/wiki/IP_address_spoofing for basic informations
>
> Analizing these Spot 9 call are not valid (WA2BKL, W3GML, KA2CBW, W4FZA,
> K4ZFP, N1DXV, KD4FKO, K0HHJ, WA3FG )
> Other calls are still on FCC database.
>
> The 1x2 West Coast call (W6HJ, W7HL, W7NJ, W6RA, W6IL ) are fool call too
> easy to type on the keyboard in random way, and 2 of them ( W6RA, W6IL )
> claim to be in CA but the are resident (www.qrz.com ) in Oregon and
> Georgia,
> and really belive me they was so incredible with such band condition ...
>
> The comment "poor" in the W6HJ, K2RA spot is clearly a no USA slang
> origin.
>
> Related to AA1N, K0TV, K0HA I had personally worked them and viewed the
> spot few seconds after the QSO, with TNX comment. I don't really know if
> these spots were sended from the respective stations or not, but really
> believe me I will not surely send a spot to confirm a myself QSO !! If
> they
> are reading this post , hope they remember it !!! A direct email will be
> sended to ask them if remember such spot sending...
>
> These brief comment is only take with care about these analyses, because
> IP
> spoofing, IP routing, or IP masking can be easy used from smart bad guys,
> that from my opinion could spend better their time enjoy radio and
> contesting instead of loosing time and smiling above a possible flame
> around these issues
>
> Personally next time i wll filter all spots with @ that denote a WEB Spot,
> and as suggest i vote for a banning of the WEB spot feature to avoid these
> false
> accusations, and this bad pratice of anonymous spots.
>
>
> Best 73 de I4UFH
>
>
> > On Tue, Mar 04, 2008 at 09:24:20PM -0800, Rich Hallman - N7TR wrote:
> >> This is interesting....
> >>
> >> N7TR 21285 CX9DX 190.132.129.239
> >>
> >> I actually made this spot from my cluster (dxc.n7tr.com) ...But is
> >> showing up here as originating from another IP. Relay?
> >
> > I can't tell about this particular spot, but such things commonly
> > happen. The whole cluster network is not to be trusted.
> >
> > As an example, I noticed that DX spots made via the IRC interface of
> > OH2AQ show up with a _random_ IP address of a _previous_ spotter on
> > the "Originating Spots" website. This could easily lead to false
> > accusations, and (although most selfspotters don't seem to care to
> > hide their identitiy anyway) is a great way to send spots anonymously.
> >
> > It's quite a mystery to me why OH2AQ doesn't employ some simple
> > means to do something against the constant abuse of the DX cluster
> > network through their web/irc interfaces.
> >
> > 73,
> > --
> > Fabian Kurz, DJ1YFK * Dresden, Germany * http://fkurz.net/
> > _______________________________________________
> > CQ-Contest mailing list
> > CQ-Contest@contesting.com
> > http://lists.contesting.com/mailman/listinfo/cq-contest
>
> _______________________________________________
> CQ-Contest mailing list
> CQ-Contest@contesting.com
> http://lists.contesting.com/mailman/listinfo/cq-contest
_______________________________________________
CQ-Contest mailing list
CQ-Contest@contesting.com
http://lists.contesting.com/mailman/listinfo/cq-contest
|