Bugtraq mailing list archives
Re: IP spoofing vs tcp wrappers and netacl
From: perry () imsi com (Perry E. Metzger)
Date: Tue, 24 Jan 1995 13:46:12 -0500
Christopher Klaus says:
Christopher Klaus says:Probably the best way to prevent IP spoofing attacks is to turn off all ip-based authenication services, ie rsh, rlogin are the main ones.Insufficient. If you can see at least part of the packet stream, you can session-steal. This makes a mockery of things like S/Key.If you have an attacker that is listening to your packet stream, you have more serious problem than just IP spoofing attacks.
Well, I'm afraid that judicious use of the protocols can under some circumstances be enough knock just a couple of packets your way if you are pretty sure a link exists, and thats all you need to steal the connection. Given the way that the internet works, this is a problem for anyone traversing a firewall with a system like SNK, S/Key, Secure ID, or whatever, because their session could be hijacked after the fact.
The only long-term solution that would adequately fix many of these problems is cryptography being implemented in authenication and encrypting all network traffic.
That is indeed the case. As I've noted, see draft-metzger-* in the nearest internet drafts directory for details on how to do that. I should be releasing an implementation for 4.4BSD kernels under a Berkeley style copyright. Perry
Current thread:
- Re: IP spoofing vs tcp wrappers and netacl Christopher Klaus (Jan 24)
- Re: IP spoofing vs tcp wrappers and netacl Perry E. Metzger (Jan 24)
- Re: IP spoofing vs tcp wrappers and netacl Christopher Klaus (Jan 24)
- Re: IP spoofing vs tcp wrappers and netacl Perry E. Metzger (Jan 24)
- Re: IP spoofing vs tcp wrappers and netacl Darren Reed (Jan 24)
- Re: IP spoofing vs tcp wrappers and netacl Christopher Klaus (Jan 24)
- Re: IP spoofing vs tcp wrappers and netacl Pete Shipley (Jan 25)
- Re: IP spoofing vs tcp wrappers and netacl Perry E. Metzger (Jan 24)