RE: IP Spoofing.

[Robert Graham <robert_david_graham () yahoo com>]

Many years ago, Shimomura posted an account of this to the NetSys firewall
mailing list. It was fascinating reading, so I put a copy on my site. A link to
it is here:

http://www.robertgraham.com/mirror/shimomura-spoofing.html

The IP spoofing carried out wasn't to "anonymize" the activity, but simply to
subvert a trust relationship with an X terminal. It used TCP seqno prediction
and a sort of SYN flood against the spoofee to prevent it from tearing down the
connection. It really was the "classic" spoofing attack.

The detection of who it was involved simply looking back through the router
logs. For ISN prediction to work, you have to get the ISN. It's fairly easy to
track back who retrieved the ISN previous to the one being predicted.

Rob.

--- Rick Smith <rick_smith () securecomputing com> wrote:
> At 09:08 PM 9/29/99 -0700, Kurt Buff wrote:
>
> > Chapter 1 describes Mitnick's compromise of Shimomura's system via Syn
> > flooding and IP spoofing.
>
> When working on Internet Cryptography, one reviewer challenged me on a
> third hand report I included of Mitnick's activities. Does anyone have a
> reference that explicitly ties Shimomura's penetration to Mitnick? Is that
> in Shimomura's book? ("Takedown" ??)
>
> I admit I've been trying to avoid Shimomura's book since reports made it
> sound too much like James Bond wannabe stuff. On the other hand, I really
> enjoyed Victor Sheymov's "Tower of Secrets," and that's probably just a
> compendium of every cool story he'd ever heard that was unlikely to be in
> US reports (plus, I suppose, the story of his CIA sponsored escape).
>
>
> Rick.
> smith () securecomputing com
> "Internet Cryptography" at http://www.visi.com/crypto/


=====
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com