Firewall Wizards mailing list archives

Re: IP Spoofing.

From: Emiliano Kargieman <core.lists.firewall-wizards () core-sdi com>
Date: 30 Sep 1999 18:02:46 -0300


Randy Witlicki wrote:

  In the original blind IP spoofing (Mitnick, etc.) you had two
big holes:
   - Predictable initial TCP sequence numbers, and;
   - Trust (as in /.rhosts) with no security perimeter.


I think you are confusing IP spoofing with TCP spoofing, those are two
different things.you don't have any sequence number in IP, so you don't have to
predict one...
and the trust relationship is also not needed, i.e.: if you have a good reason
to spoof an IP
packet then you have a good reason to do it. (trying to exploit a trust
relationship could be
a good reason)

  So, the original poster's boss may be correct, if he is refering to
blind spoofing and he has a strong OS with prudent perimeter security.

  - Randy


  a good IP implementation can't prevent IP spoofing, this is a protocol design
problem.
(as opposed to TCP ISN prediction which is a protocol implementation problem)
Also, perimeter security will do nothing for you here... the only thing you can
prevent with
'perimeter security' is somebody spoofing IP src address of your inside
network.


regards, EK.

--
===================[ CORE Seguridad de la Informacion S.A.
]=======================
Emiliano Kargieman
emiliano_kargieman () core-sdi com
Director de Investigacion
www.core-sdi.com
Corelabs
Pte. Juan D. Peron 315 Piso 4 UF 17
Buenos Aires, (1038). Argentina.                      Tel/Fax :
+(54.11)43.31.54.02
===================================================================================

"When I was younger, I could remember anything, whether it had happened or not;

 but my faculties are decaying now and soon I shall be so I cannot remember any

 but the things that never happened. It is sad to go to pieces like this but we
all
 have to do it." -- Mark Twain

"La maxima adquisicion psicologica del mundo portenio es la absoluta insumision
de las
nuevas generaciones" -- Florencio Escardo



--- For a personal reply use emiliano_kargieman () core-sdi com

Current thread:

IP Spoofing. Christopher C. Petro (Sep 18)
- Re: IP Spoofing. William Stearns (Sep 19)
- Re: IP Spoofing. Tim Kramer (Sep 20)
- RE: IP Spoofing. Joseph Williams (Sep 20)
- Re: IP Spoofing. altellez (Sep 21)
- Re: IP Spoofing. Carric Dooley (Sep 28)
  - Re: IP Spoofing. Randy Witlicki (Sep 29)
    - Re: IP Spoofing. Paul D. Robertson (Sep 30)
    - Re: IP Spoofing. Peter J. Kunz (Sep 30)
    - Re: IP Spoofing. Ivan Arce (Sep 30)
    - Re: IP Spoofing. Emiliano Kargieman (Sep 30)
  - RE: IP Spoofing. Kurt Buff (Sep 30)
    - RE: IP Spoofing. Rick Smith (Sep 30)
- <Possible follow-ups>
- Re: IP Spoofing. Steven M. Bellovin (Sep 19)
- Re: IP Spoofing. Robert Graham (Sep 21)