Re: address spoof/no return packets

[cklaus () shadow net (Christopher Klaus)]

> CERT Advisory CA-95:01 states:
> "It is important to note that the described attack is possible even if no
> reply packets can reach the attacker."
>
> How can this be?

If you simulate a connection from trusted host and trusted account to
something like the rsh port with the following command:

echo "+ +" > .rhosts

The attacker doesn't need to see the reply packets, but now he/she is
able to rlogin/rsh in from anywhere. 


-- 
Christopher William Klaus       Voice: (404)518-0099. Fax: (404)518-0030
Internet Security Systems, Inc.         Computer Security Consulting
2209 Summit Place Drive, Atlanta, GA. 30350-2450.