[nyolfen]

my understanding is that spoofing only works for sessionless protocols or situations -- eg a single udp packet or a series of packets that do not rely on any kind of response, since the response (like a tcp ack, or a dh handshake) is routed to the spoofed address. this would not apply to ssh. what contexts are you thinking of?

[ianhawes]

Yeah, the parent comment is not accurate. IP spoofing is only possible if you control the entire L4 stack.

[DarylZero]

There's network-level "IP spoofing" and then there's just routing traffic through an IP-diverse botnet.

[awsthro00945]

Why are you assuming that a determined attacker doesn't control your L4 stack? MITMs are a threat, your network could be compromised, routers (especially consumer routers) are rife with vulnerabilities. This is the entire reason "zero trust" is pushed.

[unionpivo]

> ... determined attacker doesn't control your L4 stack?

Lets face it, for most businesses and pretty much all home users* the best they can hope to achieve is not to get owned by various automated attacks.

If some determined attacker is trying to get in, he will get in.

* Sure there are exceptions

[nyolfen]

people who control the l4 stack probably aren't brute forcing my ssh server

[awsthro00945]

"the attacker probably won't do that" is not a security control.

[tremon]

"the attacker probably won't do that" is very much part of threat modeling, the #1 step in any serious security design.

[awsthro00945]

In any serious security design, "the attacker probably won't do that" would and should be shot down immediately. If your security strategy is hoping that an attacker will be kind enough to not exploit your open vulnerability, you've already failed at threat modeling and at security.

If an attacker can do it, you must assume they will do it. Because they will. That should be the starting point for any threat model.