Bugtraq mailing list archives
Re: NYT Article this morning
From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Mon, 23 Jan 1995 11:28:11 -0500
NYT repports this morning that 'IP Spoofing' is being used to subvert sites. Anybody have details?Yes. Its far worse than mere IP spoofing -- that would only get you in to places which stupidly trust things like .rhosts files. The Times did not accurately describe the scope of the problem. This is a Very Bad Problem. People should legitimately worry about this one.
[...was told on condition of nondisclosure...]
I don't know what the problem in question is. But I just today spoke with someone freshly back from Usenix, who told me that someone is finally taking advantage of most hosts' lack of randomness in choosing sequence numbers for TCP connections. (If you can guess the sequence number chosen by the other end of the host, you can create a half-open connection; if the other end's replies are predictable enough, you can carry on a complete conversation. All without ever getting any packets back. SMTP is an example of a service that will often suffer from this.) This sounds to me like a serious problem. The only real fix is to make sure that your sequence numbers _are_ strongly random, which without source is difficult at best. As a weak defense, you can make sure that the server->client messages for your TCP services vary in length, so as to make it impossible to carry on a complete conversation without seeing the packets. I'm certainly going to do this to my SMTP server.... der Mouse mouse () collatz mcrcim mcgill edu
Current thread:
- Re: NYT Article this morning der Mouse (Jan 23)
- <Possible follow-ups>
- Re: NYT Article this morning Perry E. Metzger (Jan 23)
- Re: NYT Article this morning Rick Busdiecker (Jan 24)
- Re: NYT Article this morning Perry E. Metzger (Jan 24)
- Re: NYT Article this morning Rick Busdiecker (Jan 24)
- Re: NYT Article this morning David Kovar (Jan 23)
- Re: NYT Article this morning Valdis.Kletnieks () vt edu (Jan 24)