Re: Session hijacking, source-routes

["Paul D. Robertson" <proberts () clark net>]

On Wed, 10 Feb 1999, Ken Hardy wrote:

> Can a TCP session be hijacked if the target system rejects
> source-routed IP packets?

Yes.

> If I understand the process correctly, the attacker quells the
> legitimate client with a DOS attack and gets the server to
> route the packets to himself instead after having observed the
> proper sequence numbers to use.  (No real significance to use
> of client/server here -- could work against either end of the
> TCP connection.)
>
> If my f/w rejects all source-routed packets, are its connections
> immune to session hijacking, or does this (or can this) work
> another way?

Hijacking requires the attacker to spoof the hijackee, blind spoofing is
possible, especially with predictable sequence numbers, also hijacking
with read access to any media in the client/server path for non-blind
spoofing (which is more difficult to detect) is possible.  You don't
actually have to DOS the hijackee, just get your packets there before
theirs to win.  Source routing makes the entire exercies easier, but it's
not a base necessity, especially with unencrypted links and predictable
sequence numbers.



Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280