Router filtering not enough! (Was: Re: CERT advisory )

[rens () imsi com (Rens Troost)]

> TCP Sequence Numbering attacks are based on the ability of knowing a sessions
> initial sequence number (ISN); a "random" number incremented every X (time

Not necessarily....If you can see the traffic go by on the net, you
have the sequence numbers and can go right ahead and hijack the
session in-progress.

This can be done with a routing redirect attack anywhere on the path
between the telnet client and the skey login machine (firewall), and
does not require IP spoofing.

The filtering router techniques that are being discussed will NOT
provide 100% protection against this sort of attack. If you really
need to be absolutely safe from this kind of attack, you must not run
skey or any other unencrypted interactive login at all.
Application-level encryption can substantially decrese the risk  
of intrusion in this case, reducing the attack to a denial of service
(you lose your connection.) Gauge your own risk.

> Effective guessing can lead to comprimise of existing sessions; both incoming
> and outgoing from your gateway- or between two internal systems. Although

Again, guessing the ISNs helps a lot, but is not the only way to do
this. If any router or circuit your connection has traversed is
compromised, so is your connection. This does not require spoofing or
rource-routing, although the current attackers seem to be using
spoofing and source routing, count on them to start using more
pernicious methods soon. As has been pointed out, only network or
transport-level encryption will entirely block these attacks.

-Rens