Re: Blind IP Spoofing Attacks.

[z056716 () uprc com (LaCoursiere J. D.)]

> Hi,
>
>   Just wanted to discuss a minor point in the CERT and other
> advisories.  They mention that NFS and Sun RPC in general are
> vulnerable to the sequence number attack.  It is true that
> nfs and other rpc's do rely on IP address for authentication
> but I dont see how they are vulnerable to an attack.  You
> need to see the reply in order to get a filehandle in order
> to do anything with nfs.  As for Sun RPC, it doesn't trust

There are certain files that have predictable file handles...
As Brent has mentioned several times, if you can predict what
the target's response will be, you can continue to send packets
in...

> any host as its just a tool for writing protocols.  Are
> there other RPC protocols which are vulnerable to this
> attack?  Am I overlooking something about NFS?  Did someone
> just put 2 (fake source IP) and 2 (protocol relies on IP
> for authentication) together and get 3 (NFS is vulnerable
> to this attack)?
>
>                                 Tim N.