Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

You don't need to spoof a TCP connection to register a spoofed IP address on a tracker. The tracker GET request has an optional `ip` field, the contents of which is registered as the client's address, regardless of the source address of the actual request. So it's trivial to write a Bittorrent client that reports a false address to the tracker.

http://bittorrent.org/beps/bep_0003.html



So does this optional parameter fully override the peer's address in the reporting ?


Probably. When the tracker responds with a list of peers, each peer only has an id, an ip & a port; there's no real_ip or reported_ip parameters. Of course there could be tracker software in the wild that ignores the ip parameter entirely; it's just a spec, not a contract.


Thanks for the clarification. This makes it entirely possible to spoof someone's address then by a third party.


Wow, that's very interesting. Thanks!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: