Re: IP Spoofing.

[Ivan Arce <core.lists.firewall-wizards () core-sdi com>]

Randy Witlicki wrote:

>   In the original blind IP spoofing (Mitnick, etc.) you had two
> big holes:
>    - Predictable initial TCP sequence numbers, and;
>    - Trust (as in /.rhosts) with no security perimeter.
>   In the classic way of doing it, you do a  "echo X.X.X.X > /.rhosts"
> as an rsh command in blind IP spoofing and then your host (X.X.X.X) is
> now trusted and you are free to rlogin, etc. (assuming there
> is no security perimeter).
>
>   In a prudent setup with both cryptographically strong initial
> TCP sequence numbers (you don't need OpenBSD here, but it helps), and
> a good security perimeter, you should be immune from the "classic" attack.

just to add a bit...
cryptographically strong ISNs is not enough if an attacker has the ability
to inject source routed packets in to the victims network.
he/she wont need to guess the ISN if he/she injects a source routed SYN..
still, good security at the perimeter prevents this
-ivan

--

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 It's nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

--------------------------------------------------------------------------------------------

 Iván Arce <ivan () core-sdi com>
 Presidente
 CORE SDI S.A.
 Pte. Juan D. Peron 315 4to UF17 (1394) Buenos Aires, Argentina.
 TE/FAX: +54-11-43-31-54-02 +54-11-43-31-54-09
 PGP fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
--------------------------------------------------------------------------------------------




--- For a personal reply use iarce () core-sdi com