Re: Session Hijacking

[Mike Frantzen <frantzen () nfr com>]

> Question, I am learning about session hijacking, and I was wondering
> if an IPS has the capabilities to detect and prevent this type of
> attack? If so how exactly would the IPS prevent a session hijacking?

It's pretty much impossible to prevent full-knowledge session hijacking
when the hijacker is on a local network with who he is hijacking.  You
pretty much have to be their switch.

You can make blind hijacking much harder by randomizing the TCP initial
sequence number; iirc Cisco's firewall was the first to do this without
a full proxy at least 6 years ago.  The next step is to do randomize the
source port ala NAT that doesn't actually rewrite the IP address.  And
the final step is to use the TCP Timestamp as a sequence number
extension; OpenBSD is the only one doing that right now.  Once you put
all the techniques together in a firewall or an IPS then blind spoofing
degenerates to attacks against the random number generator.  I ran the
numbers at one point and a successful TCP data injection would take a
matter of years (lemme know if you want me to dig up the math)


But you have to be careful because each one of those techniques will
break connections using the optional TCP MD5 signature.  Bye bye BGP


Other than that, the best way to detect session hijacking is to watch
for the ACK storm that happens when the hijacking screws up which
happens a good high percentage of the hijack attempts.

.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP:  CC A4 E2 E8 0C F8 42 F0  BC 26 85 5B 6F 9E ED 28

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------