Blind IP Spoofing Attacks.

[newsham () aloha net (Timothy Newsham)]

Hi,

  Just wanted to discuss a minor point in the CERT and other
advisories.  They mention that NFS and Sun RPC in general are
vulnerable to the sequence number attack.  It is true that
nfs and other rpc's do rely on IP address for authentication
but I dont see how they are vulnerable to an attack.  You
need to see the reply in order to get a filehandle in order
to do anything with nfs.  As for Sun RPC, it doesn't trust
any host as its just a tool for writing protocols.  Are
there other RPC protocols which are vulnerable to this
attack?  Am I overlooking something about NFS?  Did someone
just put 2 (fake source IP) and 2 (protocol relies on IP
for authentication) together and get 3 (NFS is vulnerable
to this attack)?

                                Tim N.