Re: Session hijacking, source-routes

["Ryan Russell" <Ryan.Russell () sybase com>]

> Can a TCP session be hijacked if the target system rejects
> source-routed IP packets?

Sure.

> If I understand the process correctly, the attacker quells the
> legitimate client with a DOS attack

Yes.

> and gets the server to
> route the packets to himself instead

Not neccessarily.

> after having observed the
> proper sequence numbers to use.

Traffic has to already be coming his way to get the sequence
numbers, usually.

> If my f/w rejects all source-routed packets, are its connections
> immune to session hijacking,

No.  The attacker could already be "in" the network
path, and not have a need to re-route packets.

The packets that really would need to be source-routed
for a hijack would be the other end (your packets.)  In
general, the atacker can send packets from wherever
he likes, and has no need to source-route his packets.

Source-routing is most useful in current attacks to
reach otherwise unreachable networks across
the Internet (say, someone's internal 10.x.x.x network.)
Dropping source-routed packets, as well as implementing
anti-spoofing measures help with this.

                         Ryan