IDS mailing list archives
Re: Session Hijacking
From: Mike Frantzen <frantzen () nfr com>
Date: Thu, 3 Mar 2005 02:07:02 -0500
Question, I am learning about session hijacking, and I was wondering if an IPS has the capabilities to detect and prevent this type of attack? If so how exactly would the IPS prevent a session hijacking?
It's pretty much impossible to prevent full-knowledge session hijacking when the hijacker is on a local network with who he is hijacking. You pretty much have to be their switch. You can make blind hijacking much harder by randomizing the TCP initial sequence number; iirc Cisco's firewall was the first to do this without a full proxy at least 6 years ago. The next step is to do randomize the source port ala NAT that doesn't actually rewrite the IP address. And the final step is to use the TCP Timestamp as a sequence number extension; OpenBSD is the only one doing that right now. Once you put all the techniques together in a firewall or an IPS then blind spoofing degenerates to attacks against the random number generator. I ran the numbers at one point and a successful TCP data injection would take a matter of years (lemme know if you want me to dig up the math) But you have to be careful because each one of those techniques will break connections using the optional TCP MD5 signature. Bye bye BGP Other than that, the best way to detect session hijacking is to watch for the ACK storm that happens when the hijacking screws up which happens a good high percentage of the hijack attempts. .mike frantzen@(nfr.com | cvs.openbsd.org | w4g.org) PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Session Hijacking Terry Ray (Mar 02)
- Re: Session Hijacking Mike Frantzen (Mar 04)
- Re: Session Hijacking Dragos Ruiu (Mar 06)
- RE: Session Hijacking Angel L Rivera (Mar 07)
- Re: Session Hijacking Dragos Ruiu (Mar 09)
- Re: Session Hijacking Dragos Ruiu (Mar 09)
- RE: Session Hijacking Angel L Rivera (Mar 09)
- Re: Session Hijacking Dragos Ruiu (Mar 10)
- Re: Session Hijacking Dragos Ruiu (Mar 06)
- Re: Session Hijacking Mike Frantzen (Mar 04)
- RE: Session Hijacking Omar Herrera (Mar 07)