Firewall Wizards mailing list archives
Re: Session hijacking, source-routes
From: "Paul D. Robertson" <proberts () clark net>
Date: Wed, 10 Feb 1999 15:28:23 -0500 (EST)
On Wed, 10 Feb 1999, Ken Hardy wrote:
Can a TCP session be hijacked if the target system rejects source-routed IP packets?
Yes.
If I understand the process correctly, the attacker quells the legitimate client with a DOS attack and gets the server to route the packets to himself instead after having observed the proper sequence numbers to use. (No real significance to use of client/server here -- could work against either end of the TCP connection.) If my f/w rejects all source-routed packets, are its connections immune to session hijacking, or does this (or can this) work another way?
Hijacking requires the attacker to spoof the hijackee, blind spoofing is possible, especially with predictable sequence numbers, also hijacking with read access to any media in the client/server path for non-blind spoofing (which is more difficult to detect) is possible. You don't actually have to DOS the hijackee, just get your packets there before theirs to win. Source routing makes the entire exercies easier, but it's not a base necessity, especially with unencrypted links and predictable sequence numbers. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Session hijacking, source-routes Ken Hardy (Feb 10)
- Re: Session hijacking, source-routes Bennett Todd (Feb 10)
- Re: Session hijacking, source-routes Paul D. Robertson (Feb 10)
- Re: Session hijacking, source-routes Ken Hardy (Feb 11)
- Re: Session hijacking, source-routes Cohen Liota (Feb 11)
- <Possible follow-ups>
- Re: Session hijacking, source-routes Ryan Russell (Feb 10)