[thaumaturgy]

It "attacks back" in this case by redirecting users to various other sites. The fun thing about applications like this one is that they make for a great self-inflicting DoS; all I have to do, as an attacker, is run a script that launches lame attacks with spoofed IPs against a fusker site. With not too much trouble, I could cause your website to redirect a lot of your U.S. customers to goatse, or whatever module you decide to use.

Hate to be a killjoy, but things like this are usually not a good idea. Unfortunately, somebody has to rediscover that every six months or so.

edit: nevermind, I was going off of hilariously out-of-date information. TCP ISNs haven't been easy to predict in -- gulp -- about a decade. Damn, now I feel old.

[mike-cardwell]

You'd have to have a high level of control of the network that the server lives on in order to do this sort of spoofing of tcp connections for arbitrary IP addresses.

And if you had that level of control anyway, you wouldn't need to spoof attacks against the server, you could just redirect all incoming requests to a different server which returns whatever HTTP response headers or bodies that you want.

So your described attack is highly unlikely to ever happen.

[xorglorb]

I'm not an expert, but HTTP travels over TCP and, if I remember correctly, TCP uses sequence numbers to prevent IP spoofing.

[threepointone]

Fair enough, 'attacking back' might be a bit of overkill, but you can't deny the utility of a pluggable module that spots possible attacks (as connectjs middleware, for instance). What I got out of this is a simple way to implement some form of protection on my site.

[FooBarWidget]

> is run a script that launches lame attacks with spoofed IPs against a fusker site

How do you spoof your IP in TCP? If you spoof your source address you shouldn't be able to get past the handshake.

[jgrahamc]

http://en.wikipedia.org/wiki/TCP_sequence_prediction_attack

You spoof the IP address you are sending from and then predict the TCP sequence number so you can make it look as though you are receiving the replies (even though they are going to another machine since you spoofed the IP address).

Such an attack was proposed by Hacker News' very own rtm: http://tools.ietf.org/html/rfc1948

[thaumaturgy]

Unfortunately for my original point, it looks like my info was waaaay out of date, and most OSs started using cryptographically random ISNs years ago.

My bad, sorry for the noise.

edit: I suppose this means it's time for me to finally discard my copy of Inside TCP/IP, third edition. :-(

[khafra]

Don't just throw it away; it's great for ergonomics. Most people's monitors are way too far below eye level.

[younewman]

Except then you could use your "lame" spoofing attacks to redirect whoever you wanted to whatever site you wanted anyway.

[iliis]

Good point. Altough a funny tought to see some company redirect it's customers to goatse.

I think, a more realistic approach for example would be a ssh honeypot like kippo (https://code.google.com/p/kippo/).