Here's an old reply... -------- Original Message -------- Subject: Re: IP Spoofing. Date: Thu, 30 Sep 1999 16:56:31 +0200 From: "Peter J. Kunz" <pkunzat_private> To: Randy Witlicki <randy.witlickiat_private> CC: Carric Dooley <carricat_private>, petroat_private,firewall-wizardsat_private References: <v04205502b4089b713655@[10.1.1.212]> <l03130300b41718e50702@[198.115.164.57]> Randy Witlicki wrote: > > In the original blind IP spoofing (Mitnick, etc.) you had two > big holes: > - Predictable initial TCP sequence numbers, and; > - Trust (as in /.rhosts) with no security perimeter. > In the classic way of doing it, you do a "echo X.X.X.X > /.rhosts" > as an rsh command in blind IP spoofing and then your host (X.X.X.X) is > now trusted and you are free to rlogin, etc. (assuming there > is no security perimeter). Uhm, wouldn't you need access authority to have rsh work on the remote host?... > In a prudent setup with both cryptographically strong initial > TCP sequence numbers (you don't need OpenBSD here, but it helps), and > a good security perimeter, you should be immune from the "classic" attack. I notice in nmap there are different values for TCP prediction. Anyone care to elaborate what teh different techniques are and why guessing on some is harder than others (apart from crypto, of course :-)) )? Btw, on what kinds of number prediction does that network tool for Solaris work on - I think it's IP-Watch. It allows you to hijack a TCP session. > >> Could anyone provide me with a link or pointer to information that I > >> could use to prove him wrong, or to information that proves me wrong? Bellovin's '89 or '93 paper (Computer Communications Review, perhaps at att.com) or Morris's '85 paper http://www.eecs.harvard.edu/~rtm/papers.html cu -pete
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:05 PDT