Teamspeak Attack / Exploit

[Juzaa]

Hi there,

regarding things i have read here HERE, there are a few things i'd like to list before i begin:

System: Debian
Server version: 2.0.24.1 Linux
Ports: Default
Additionals: TS2PerlMod

And now my problem...

We had yesterday a user joined our server. His flaming and insulting others caused a ban from server. Well, normal, but:

This user connected again with multiple IP's so the ban would not work. This, is an issue what should be fixed. How is it possible to fake that fast IP's ???

Ok, 1 Bug, but the next one is really interesting: Next step we choosed: Make the channel password protected. The attacker joined another channel and was ABLE TO SPEAK FROM his channel to OURS! Sorry, but whats the point??

Is it possible to fake IP's within the packets the clients sends to server?
How can i determine his real IP (this should be REALLY done by server)?
Will there be a hotfix for that?

Here the log (usually the IP is in the same range if dynamic, but this...)

Code:

16-08-08 16:07:23,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: Acid jiddish, Version: 2.0.32.60]
16-08-08 16:08:30,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: Janinara]
16-08-08 16:09:06,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: Acid jiddish]
16-08-08 16:09:31,ALL,Info,AccessLog,	SID: 1 client connected [IP: 87.106.11.22, Nick: Acid jiddish, Version: 2.0.32.60]
16-08-08 16:09:39,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: Acid jiddish]
16-08-08 16:10:07,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.139.99, Nick: Acid jiddish, Version: 2.0.32.60]
16-08-08 16:10:13,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: Acid jiddish]
16-08-08 16:10:28,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.147.158, Nick: Acid jiddish, Version: 2.0.32.60]
16-08-08 16:10:37,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: Acid jiddish]
16-08-08 16:11:01,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.132.91, Nick: Acid jiddish, Version: 2.0.32.60]
16-08-08 16:11:05,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: Acid jiddish]
16-08-08 16:11:17,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.132.91, Nick: Acid jiddish, Version: 2.0.32.60]
16-08-08 16:11:22,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: Acid jiddish]
16-08-08 16:11:36,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.20.249, Nick: Acid jiddish, Version: 2.0.32.60]
16-08-08 16:11:40,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: Acid jiddish]
18-08-08 01:01:28,ALL,Info,AccessLog,	SID: 1 client connected [IP: 87.106.2.145, Nick: Acid jiddish, Version: 2.0.32.60]
18-08-08 01:01:37,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: Acid jiddish]
18-08-08 01:01:56,ALL,Info,AccessLog,	SID: 1 client connected [IP: 87.106.129.206, Nick: Acid jiddish, Version: 2.0.32.60]
18-08-08 01:02:08,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: Acid jiddish]
18-08-08 01:02:26,ALL,Info,AccessLog,	SID: 1 client connected [IP: 87.106.11.67, Nick: Acid jiddish, Version: 2.0.32.60]
18-08-08 01:02:31,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: Acid jiddish]
18-08-08 01:02:44,ALL,Info,AccessLog,	SID: 1 client connected [IP: 87.106.2.145, Nick: Acid jiddish, Version: 2.0.32.60]
18-08-08 01:02:50,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: Acid jiddish]
18-08-08 01:11:15,ALL,Info,AccessLog,	SID: 1 client connected [IP: 87.106.11.67, Nick: Adonai, Version: 2.0.32.60]
18-08-08 01:13:23,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: Adonai]
18-08-08 01:13:29,ALL,Info,AccessLog,	SID: 1 client connected [IP: 87.106.130.76, Nick: Adonai, Version: 2.0.32.60]
18-08-08 01:16:43,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: Adonai]
18-08-08 01:16:51,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.147.158, Nick: Adonai, Version: 2.0.32.60]
18-08-08 01:16:53,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.147.158, Nick: fcew, Version: 2.0.32.60]
18-08-08 01:16:54,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.147.158, Nick: fcew1, Version: 2.0.32.60]
18-08-08 01:16:54,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.147.158, Nick: fcew2, Version: 2.0.32.60]
18-08-08 01:16:54,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.147.158, Nick: fcew3, Version: 2.0.32.60]
18-08-08 01:16:54,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.147.158, Nick: fcew4, Version: 2.0.32.60]
18-08-08 01:16:54,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.147.158, Nick: fcew5, Version: 2.0.32.60]
18-08-08 01:16:54,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.147.158, Nick: fcew6, Version: 2.0.32.60]
18-08-08 01:16:54,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.147.158, Nick: fcew7, Version: 2.0.32.60]
18-08-08 01:16:54,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.147.158, Nick: fcew8, Version: 2.0.32.60]
18-08-08 01:16:54,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.147.158, Nick: fcew9, Version: 2.0.32.60]
18-08-08 01:16:54,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.147.158, Nick: fcew10, Version: 2.0.32.60]
18-08-08 01:16:54,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.147.158, Nick: fcew11, Version: 2.0.32.60]
18-08-08 01:16:55,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew12, Version: 2.0.32.60]
18-08-08 01:16:55,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew13, Version: 2.0.32.60]
18-08-08 01:16:55,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew14, Version: 2.0.32.60]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew, Version: 2.0.32.60]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew15, Version: 2.0.32.60]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew1]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew1, Version: 2.0.32.60]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew2]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew2, Version: 2.0.32.60]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew3]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew3, Version: 2.0.32.60]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew4]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew4, Version: 2.0.32.60]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew16, Version: 2.0.32.60]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew5]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew5, Version: 2.0.32.60]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew6]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew6, Version: 2.0.32.60]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew7]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew7, Version: 2.0.32.60]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew8]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew8, Version: 2.0.32.60]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew17, Version: 2.0.32.60]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew9]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew9, Version: 2.0.32.60]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew10]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew10, Version: 2.0.32.60]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew11]
18-08-08 01:16:56,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew11, Version: 2.0.32.60]
18-08-08 01:16:57,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew18, Version: 2.0.32.60]
18-08-08 01:16:57,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew19, Version: 2.0.32.60]
18-08-08 01:16:57,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew20, Version: 2.0.32.60]
18-08-08 01:16:57,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew21, Version: 2.0.32.60]
18-08-08 01:16:57,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew22, Version: 2.0.32.60]
18-08-08 01:16:57,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew23, Version: 2.0.32.60]
18-08-08 01:16:57,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew24, Version: 2.0.32.60]
18-08-08 01:16:57,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew25, Version: 2.0.32.60]
18-08-08 01:16:57,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew26, Version: 2.0.32.60]
18-08-08 01:16:57,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew27, Version: 2.0.32.60]
18-08-08 01:16:57,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew28, Version: 2.0.32.60]
18-08-08 01:16:57,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew29, Version: 2.0.32.60]
18-08-08 01:16:57,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew30, Version: 2.0.32.60]
18-08-08 01:16:57,ALL,Info,AccessLog,	SID: 1 client connected [IP: 84.112.141.91, Nick: fcew31, Version: 2.0.32.60]
18-08-08 01:16:57,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew12]
18-08-08 01:16:58,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew13]
18-08-08 01:16:58,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew14]
18-08-08 01:16:58,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew]
18-08-08 01:16:58,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew15]
18-08-08 01:16:58,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew1]
18-08-08 01:16:58,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew2]
18-08-08 01:16:58,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew3]
18-08-08 01:16:58,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew4]
18-08-08 01:16:58,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew16]
18-08-08 01:16:58,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew5]
18-08-08 01:16:58,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew6]
18-08-08 01:16:58,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew7]
18-08-08 01:16:58,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew8]
18-08-08 01:16:58,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew17]
18-08-08 01:16:58,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew9]
18-08-08 01:16:59,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew10]
18-08-08 01:16:59,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew11]
18-08-08 01:16:59,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew18]
18-08-08 01:16:59,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew19]
18-08-08 01:16:59,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew20]
18-08-08 01:16:59,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew21]
18-08-08 01:16:59,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew22]
18-08-08 01:16:59,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew23]
18-08-08 01:16:59,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew24]
18-08-08 01:16:59,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew25]
18-08-08 01:16:59,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew26]
18-08-08 01:16:59,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew27]
18-08-08 01:16:59,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew28]
18-08-08 01:16:59,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew29]
18-08-08 01:16:59,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew30]
18-08-08 01:17:00,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew31]
18-08-08 01:17:32,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: Adonai]
18-08-08 01:17:50,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.132.91, Nick: Adonai, Version: 2.0.32.60]
18-08-08 01:17:51,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.132.91, Nick: fcew, Version: 2.0.32.60]
18-08-08 01:17:52,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.132.91, Nick: fcew1, Version: 2.0.32.60]
18-08-08 01:17:52,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.132.91, Nick: fcew2, Version: 2.0.32.60]
18-08-08 01:17:52,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.132.91, Nick: fcew3, Version: 2.0.32.60]
18-08-08 01:17:52,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.132.91, Nick: fcew4, Version: 2.0.32.60]
18-08-08 01:17:52,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.132.91, Nick: fcew5, Version: 2.0.32.60]
18-08-08 01:17:52,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.132.91, Nick: fcew6, Version: 2.0.32.60]
18-08-08 01:17:52,ALL,Info,AccessLog,	SID: 1 client connected [IP: 85.25.132.91, Nick: fcew7, Version: 2.0.32.60]
18-08-08 01:17:54,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew]
18-08-08 01:17:54,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew1]
18-08-08 01:17:54,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew2]
18-08-08 01:17:54,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew3]
18-08-08 01:17:54,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew4]
18-08-08 01:17:54,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew5]
18-08-08 01:17:54,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew6]
18-08-08 01:17:54,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: fcew7]
18-08-08 01:19:21,ALL,Info,AccessLog,	SID: 1 client disconnected. [Nick: Adonai]

[bibabu]

Hallo,

This user connected again with multiple IP's so the ban would not work. This, is an issue what should be fixed. How is it possible to fake that fast IP's ???

its easy to change your IP by a DSL Reconnect.

Ok, 1 Bug, but the next one is really interesting: Next step we choosed: Make the channel password protected. The attacker joined another channel and was ABLE TO SPEAK FROM his channel to OURS! Sorry, but whats the point??

TeamSpeak Client -> Self -> Block Whispers

[Katana*GFR*]

Hallo,



its easy to change your IP by a DSL Reconnect.

Mwoah, not so fast manually. Even if you have a Dynamic IP, a request to the server for a new IP does take a bit.
I never get my IP back within 5 seconds, and i got a static one.


Juzaa, try one of the mods in the 3rd party site, they work really nice.

[Juzaa]

Hi, thank you for answers...

Hallo,
its easy to change your IP by a DSL Reconnect.

I have contacted his provider cause of this. His provider is chello (AT). They will contact him about that. Other IP's are from other providers, so this is not a fast reconnect. This is more like spoofing...

TeamSpeak Client -> Self -> Block Whispers

Is there a way to block whispers from server-side?

Juzaa, try one of the mods in the 3rd party site, they work really nice.

Perlmod is installed, do you suggest me another (additional) one?

[Katana*GFR*]

If perlmod is configured correctly he gets banned after the amount of tries you set it to.

And no, whispers can't be blocked serversided.

[Juzaa]

If perlmod is configured correctly he gets banned after the amount of tries you set it to.

And no, whispers can't be blocked serversided.

Maybe with a moddified packetfilter like tsqueue-0.1...
However, i am not able to ban a user which is able to spoof that fast ip adresses...

Thats why the current "stable" release should get a hotfix...

[Katana*GFR*]

Listen, if configured right TS2PerlMod does its job perfect. I know, ive had it myself.

And no, there's no need for a hotfix if you can't configure something right.

[Peter]

If he is indeed spoofing the IP then these clients would be dropping very shortly after login (because the server gets no reply from the spoofed IP address), is this happening?
Many people just reconnect their DSL if they want to be a pain in the ass, getting a new IP in 1 second is totally doable...

[Juzaa]

Listen, if configured right TS2PerlMod does its job perfect. I know, ive had it myself.

And no, there's no need for a hotfix if you can't configure something right.

I would preffer you to not post anymore, thanks.

If he is indeed spoofing the IP then these clients would be dropping very shortly after login (because the server gets no reply from the spoofed IP address), is this happening?
Many people just reconnect their DSL if they want to be a pain in the ass, getting a new IP in 1 second is totally doable...

Sure, it is possible. What i know now is:
- His provider offers him a static ip (Austria - Vienna(chello)).
- After banned, he joines the server with different ip's from a range of a hostingprovider (SERVER4YOU) and different dynamic-range ip's from a german ISP and is able to talk.
- Perlmod is working and is banning floods
- He rejoins with voice like: "you cannot ban me" and: again: he gots another ip.

I guess, after i informed his ISP which will take care of it, that he will never again join our TS. But i'm very interessted in how is he able to use so much ip's and was able to talk.

Oh, and btw: Perlmod was disabled cause i needed due to getting more information about him

[Katana*GFR*]

I would preffer you to not post anymore, thanks.

Whatever.. I know im right on this

Oh, and btw: Perlmod was disabled cause i needed due to getting more information about him

That's why.. Dont bother whining to me, when you turn it off yourself.
Could have mentioned that beforehand.

[Juzaa]

Dont bother whining to me

Blablabla..

For everyone else: I'm still searching why an austrian guy was able to fake german ip ranges, if someone knows, drop a line

[Katana*GFR*]

http://en.wikipedia.org/wiki/IP_address_spoofing


First result on google... Its so easy

[Juzaa]

http://en.wikipedia.org/wiki/IP_address_spoofing


First result on google... Its so easy

Nice Link... Did u even read it ?

If he is indeed spoofing the IP then these clients would be dropping very shortly after login (because the server gets no reply from the spoofed IP address)

Agree 100%.

- After banned, he joines the server with different ip's ... and is able to talk.

Got now the point?

[Katana*GFR*]

Dude you can keep making sarcastic comments to me, but i gave you what you asked for. You wanted info on spoofing, and now you have it.
I know what it is, i know how to do it, why should i bother reading then? It's not like there's some new info in it for me.

Its just the headers that are modified, and thus not on the ban list, if you have acces to the connection logs ( server logs ) see what they bring up..
I think the returnpath is not spoofed.

[Juzaa]

Dude you can keep making sarcastic comments to me, but i gave you what you asked for. You wanted info on spoofing, and now you have it.

Listen, if configured right TS2PerlMod does its job perfect. I know, ive had it myself.
And no, there's no need for a hotfix if you can't configure something right.

http://en.wikipedia.org/wiki/IP_address_spoofing
First result on google... Its so easy

Thats why i asked you to stop posting if you cannot stick at this topic. If you cannot accept sarcasm, dont spread it.

I know what it is, i know how to do it, why should i bother reading then?

Could be that you would be able to answer my question...

Its just the headers that are modified

Now we get closer: Isn't it the services job (TS-server) to identify the user by his real IP?