I wrote:
> > I need to understand IP spoofing. I understand that it is the general
> > consensus that it can be done, but how. Don't you have to reveal your
> > real IP address to get a message out?
Philip Hazel wrote:
> Exim by default blocks incoming calls with "source routed" IP return
> addresses. Check out the kill_ip_options and refuse_ip_options settings,
> and have a look at the code in smtp_in.c to see how this is implemented.
> It's all very hairy. I don't understand it very well and this code got
> copied from elsewhere. It is also hard to test!
Gosh, if it works, it solves everything for me, I think, if I
understand the rest. I don't need to see the code.
Deliberate.com is a single machine, a single homemade PC running
linux, no internal net (or at least not visible to the internet), no
router, just a tiny leaf node on the net. We have no firewall. It's
important to keep small and cheap because we implement democracy.
Also, it provides a measure of security this way, as you folks note.
But this from Peter Lister worries me:
> If I understand you correctly, you wish to check IP
> addresses (i.e. the 32 bit number not the domain name) - I take it you
> know that there is frequently very little relation between the two.
We were completely successful at cleaning up our data by deleting
ballots where the domain name didn't match the IP address and
extrapolating that those domains were always bogus -- but we didn't
have many real voters so this was possible this time. Can you explain
how it legitimately happens that IP addresses and domain names aren't
related?
> cryptographic signatures. I'm also wondering how many genuine emails you
> may have filtered out which happened to come through honest relays.
I doubt if we lost any, except when our attacker(s) brought down our
machine via direct attack on our sendmail -- which we learned to
overcome, even with just sendmail.
I did a big obsessive analysis on the attack:
http://www.deliberate.com/consulta/results
We were lucky in that not many people voted so we didn't have any
legitimate votes from the sites that were used for bogus ballots. It
was pretty easy to tell for various reasons, detailed in the report.
Our attacker wasn't very clever, or he didn't think I would be. :^)
Next time things could be harder so we need to be better prepared.
> Good for Exim, I'm impressed. Unfortunately, this doesn't change the
> argument that you aren't in control of all the boxes between you ane the
> sender. :-) It's still a hard problem (and, as Philip says, very hard to
> test).
OK. I don't quite get this. If we don't allow source routing, then
our packets back to the caller will be routed to the right IP address
and the situation is saved, no matter what other sites are doing? I
must be missing something here.
Although I don't have any comments to make about Malcolm Ray's
message, I'm very grateful because his excellent explanation made the
rest make sense, somewhat.
Thanks for the references. I just found CERT. I wish I'd known about
them while it was going on.
> RFC1948 Defending against sequence number attacks
> CERT Advisories CA-95.01 and CA-96.21
>
> ObExim: should exim really worry about this? IMO it ought to leave blocking
> source routed stuff to the OS and/or network infrastructure.
I'd say yes. Exim should worry about it. I don't understand how or
why the OS would even know it was going on. Network infrastructure
should also worry but if we are to control our own machines then the
software that connects us to the universe has to control these things.
Software under our control should control these things. It's
object-oriented that way, more natural, and less subject to
government/corporate abuse.
Thanks for the help so far.
*
Marilyn *
*
*
Marilyn Davis, Ph.D.-------------- * ---- eVote - online polling
| * software for email lists
| * *
marilyn@??? * *
(650) 965-7121 ------------- * * -------- http://www.deliberate.com
*
--
*** Exim information can be found at
http://www.exim.org/ ***
