IDS mailing list archives
Re: Session Hijacking
From: Kevin <kkadow () gmail com>
Date: Thu, 3 Mar 2005 01:24:39 -0600
On Wed, 2 Mar 2005 12:15:27 -0500, Terry Ray wrote:
Question, I am learning about session hijacking, and I was wondering if an IPS has the capabilities to detect and prevent this type of attack? If so how exactly would the IPS prevent a session hijacking?
An IDS located on the same segment as the attacker should detect MITM attacks (e.g. ettercap). And of course there are IPS products which *perform* session hijacking (one way to put the 'P' in IPS). It is common for firewalls to optionally rewrite TCP's Initial Sequence Number, giving protection against blind spoofing. In theory, an inline IPS is in the same position to perform ISN randomization as a firewall, but I don't know if any current products offer this as a feature? While not truly a "hijack" attack, an inline IPS should be able to both detect and prevent "blind" TCP ReSeT attacks, by just dropping *all* RST packets for a given session once it's seen an unusually high number of resets -- even if the IPS is not good about tracking sequence numbers, this approach should work to mitigate the DoS. Kevin Kadow -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Session Hijacking Terry Ray (Mar 02)
- Re: Session Hijacking Mike Frantzen (Mar 04)
- Re: Session Hijacking Dragos Ruiu (Mar 06)
- RE: Session Hijacking Angel L Rivera (Mar 07)
- Re: Session Hijacking Dragos Ruiu (Mar 09)
- Re: Session Hijacking Dragos Ruiu (Mar 09)
- RE: Session Hijacking Angel L Rivera (Mar 09)
- Re: Session Hijacking Dragos Ruiu (Mar 10)
- Re: Session Hijacking Dragos Ruiu (Mar 06)
- Re: Session Hijacking Mike Frantzen (Mar 04)
- RE: Session Hijacking Omar Herrera (Mar 07)