Re: Can a port be spoofed?

[Chris Brenton <cbrenton () sover net>]

twalls - Troy Walls wrote:
> If a customer opens a dedicated port in their firewall and looks for a
> dedicated port from my firewall, is it likely to be spoofed.  What is
> the level of difficulty?

I assume you are talking about a tunnel? A posture that accepts inbound
traffic from only a specific IP address to a specific port number?

If so, this is classic man-in-the-middle. Since the IP address and port
does not change, all an attacker has to find is the sequence numbers. I
believe the archives of this list has quite a bit on doing sequence
number prediction. The attacker would also need to known what kind of
data needs to be injected but they may be able to derive this from the
port number used, the contents of the data stream if encryption is not
used, or via brute force attack.

So the short answer is yes it is possible, but don't expect to see this
attack originating from grade-school.edu. ;)

The big question is whether there is anything on the other side of the
firewall that would make it worth someone's while to go through this
attack? This is a typical risk assessment issue.

Cheers,
Chris
-- 
**************************************
cbrenton () sover net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529
* Mastering Network Security
http://www.amazon.com/exec/obidos/ISBN%3D0782123430/002-0346046-8151850