Bugtraq mailing list archives

Re: Blind IP Spoofing Attacks.

From: perry () imsi com (Perry E. Metzger)
Date: Tue, 24 Jan 1995 19:16:05 -0500


Timothy Newsham says:

  Just wanted to discuss a minor point in the CERT and other
advisories.  They mention that NFS and Sun RPC in general are
vulnerable to the sequence number attack.  It is true that
nfs and other rpc's do rely on IP address for authentication
but I dont see how they are vulnerable to an attack.  You
need to see the reply in order to get a filehandle in order
to do anything with nfs.  As for Sun RPC, it doesn't trust
any host as its just a tool for writing protocols.  Are
there other RPC protocols which are vulnerable to this
attack?  Am I overlooking something about NFS?  Did someone
just put 2 (fake source IP) and 2 (protocol relies on IP
for authentication) together and get 3 (NFS is vulnerable
to this attack)?


Solaris 2.X has "fixed" source routes so that they work, and has RPC
over TCP, including NFS over TCP. That means that you could indeed
make some nasty uses of IP spoofing in conjunction with NFS.

Myself, I consider NFS to be highly insecure and always advice clients
to hide it behind application level firewalls.

Perry

Current thread:

Blind IP Spoofing Attacks. Timothy Newsham (Jan 24)
- Re: Blind IP Spoofing Attacks. Perry E. Metzger (Jan 24)
- <Possible follow-ups>
- Re: Blind IP Spoofing Attacks. LaCoursiere J. D. (Jan 24)
  - Re: Blind IP Spoofing Attacks. Casper Dik (Jan 25)
- Re: Blind IP Spoofing Attacks. Justin Mason (Jan 25)
  - Re: Blind IP Spoofing Attacks. Timothy Newsham (Jan 25)
- Re: Blind IP Spoofing Attacks. der Mouse (Jan 25)
  - Re: Blind IP Spoofing Attacks. Timothy Newsham (Jan 25)