On 6/3/06, Gaby vanhegan <[EMAIL PROTECTED]> wrote:
On 3 Jun 2006, at 17:03, Clint M. Sand wrote:
> So all I have to do is *TRY* to login as you on another machine and
> your
> original legit connection is dropped?
>
> Think about this.
Only successful logins would update the IP associated with that
login. Failed login attempts would do nothing. Sorry, my wording
was a little unclear, what I actually meant was a successful login
from a second machine would kick the first login off, as the most
recent IP would be the one associated with that client. If the first
client successfully logged in again, that would kick the second login
off.
The best I can do against somebody trying to use a stale IP is to
check the MAC address that the successful login came from against
what it claims to be at the time. Any mis-match and the IP is kicked
off. If people want to go to the effort of spoofing a MAC address
and finding a stale IP to use, there's little I can do.
Being that this is a service intended for the general public, I'm
reckoning that 99.9% of users won't even know that a MAC could be
spoofed, or know how to do it. I suppose I could take it one step
further and get a tcp OS fingerprint of the client at login time, and
use that as a further aid to checking that the person that logged in
is the person currently using this IP address. Is there any way to
protect against this?
I think it's good enough to do what you were already planning. In
order for someone to get on they'd need to find someone who has left a
stale login, find out their IP and find out their MAC. The chance of
them being able to do this (without already having been on the network
to snoop traffic, in which case they've gotten in anyway) is
astronomical: about 16^6 * 2^32. Just make sure to have a system to
detect multiple rapid break in attempts and deal with it.
Being more restrictive will just end up being a pain. For example,
maybe two friends want to share a connection, so the first gets on and
then after a bit passes it off to the second who changes their IP and
MAC to match, but then bam, they can't get on. Or maybe someone
dualboots.
-Nick
