The Natural Philosopher wrote:

Doen';t really matter that much, since at some level the nntp posting
host is in the path, and you can generally work from there.

To an extent, assuming someone is not running their own NNTP host on a
"owned" computer, or hiding behind a proxy on one etc.

Ip source address spoofing is rather hard to use to implement a stream
connection, as if you fake where you are coming from, the ack packets
won;t get back to you.

This is true... it a more useful technique for DDoS attacks than for
things like two way traffic (i.e. TCP connections).

Yoi may be ale to take over a nearby addres, but you can't fake one
across teh other side of teh world.

Most boundary routers are VERY tight on stuff like that.

They are getting better. They have always been pretty tight on
preventing external IP address blocks get access to services provided
for subscribers (although there are still some ISPs that don't care).

The reverse situation however is still much more patchy (i.e. preventing
exit of packets apparently originated from an IP address range that
really ought not to be in the network segment) since this is a
technically much harder problem to solve as an afterthought (i.e. you
need to have started with a well planned and segmented network in the
first place, rather than having "grown" one organically as your demand
increased.

(The thrust of my post was really to highlight that post containing a
snippet of "Noddy learns IP", was (while interesting to some), pretty
pointless as a practical solution to the problem).

--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/