Security Basics mailing list archives

RE: IP Session Hijacking And Spoofing

From: "ALBEE,RUSSELL. S FC2 (CV63 CS5)" <ALBEER () kitty-hawk navy mil>
Date: Fri, 22 Nov 2002 22:56:25 +0900

Hi Todd,

"I also failed to understand how the traffic gets back to you if you are
telling it to respond to another host. Can someone shine some light on this
for me?" - LEHMANN, TODD

I'm FAR from an expert on this but from what I remember reading about this
issue is that the traffic does not get back to you, but goes to the IP
address that was spoofed.  In case you are wondering what the point would be
then of spoofing if the traffic doesnt come back to you is this technique
could still be used for DoS attacks while hiding the originating machine
that sent them.  IE my machine at 127.0.0.5 sends a DoS attack to your
machine at 127.0.0.8, but tells your machine it came from 127.0.0.3.  You
check your logs and sick the dogs on the owner of 127.0.0.3 thinking he was
DoS'ing you.  (127 addresses used for example only, I know 127's are
loopback)

Again this if from what I remember reading about this issue so don't quote
me on this.  If anybody who is more familiar on this topic and can
confirm/deny what I said would be appreciative.

Regards,

Russell

The views and/or expressions in this email are my own personal statements
and do not represent any endorsement and/or statement from the US Navy.

--- Begin Message --- From: "LEHMANN, TODD" <TODLEH () SAFECO com>
Date: Wed, 20 Nov 2002 04:33:17 +0900

I have read some documentation on IP Spoofing, and from what I have read, it
sounds like you must determine the sequence number of the host before you
can spoof. However, I don't understand why you would have to determine the
sequence if you are creating a new session with the host under a false IP.
Wouldn't the creation of the new TCP session negotiate the sequence number
at that time?

I also failed to understand how the traffic gets back to you if you are
telling it to respond to another host. Can someone shine some light on this
for me?

When it comes to session high-jacking, how does one go about determining the
sequence number on a host that uses a random number seed to create the
sequence? Is it some form of complex algorithms or is it just impossible
unless you create the session? 

Todd Lehmann
Systems Analyst I
VPN Subject Matter Expert

--- End Message ---

Current thread:

IP Session Hijacking And Spoofing LEHMANN, TODD (Nov 21)
- Re: IP Session Hijacking And Spoofing John Fastabend (Nov 22)
- RE: IP Session Hijacking And Spoofing Daniel R. Miessler (Nov 25)
- Re: IP Session Hijacking And Spoofing simsjs (Nov 25)
  - Re: IP Session Hijacking And Spoofing Svetoslav Gyurov (Nov 26)
- <Possible follow-ups>
- RE: IP Session Hijacking And Spoofing Gene LeDuc (Nov 25)
- RE: IP Session Hijacking And Spoofing ALBEE,RUSSELL. S FC2 (CV63 CS5) (Nov 25)
  - RE: IP Session Hijacking And Spoofing Svetoslav Gyurov (Nov 26)
- RE: IP Session Hijacking And Spoofing LEHMANN, TODD (Nov 26)
  - RE: IP Session Hijacking And Spoofing John Fastabend (Nov 27)
- Re: IP Session Hijacking And Spoofing simsjs (Nov 26)