Oops, rereading one of my last posts, I said > > FWIW, IP's *may* be spoofed, even if you are seeing a tcp 3-way init. > > It depends on how your server machine generates the IP sequence numbers. > > `nmap -v` is a good gauge of how cryptographically strong it is. What I MEANT was TCP sequence numbers, not IP ID numbers. Sequence numbers are supposed to be highly random. The IP ID number is just a unique identifier of communication between two hosts over a given protocol. It exists so that (for example) a webserver can serve a client multiple pages concurrently. The IP ID number cannot be used to provide any kind of security. It seems different OSs even use widely differert schemes to decide when to increment it and when to use an entirely different number. As I understand, beginning an attack with an arbitrary IP ID number would work fine, as long as the TCP sequence numbers were right. The target host would just think that lots of packets had gotten lost ... Correct me if I'm wrong, Justin Pryzby ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu May 29 2003 - 07:50:39 PDT