Bugtraq mailing list archives

Re: Router filtering not enough! (Was: Re: CERT advisory )

From: jim () math psu edu (Jim Duncan)
Date: Tue, 24 Jan 1995 18:01:33 -0500


Rens Troost writes:

This does not require spoofing or
rource-routing, although the current attackers seem to be using
spoofing and source routing, count on them to start using more
pernicious methods soon.


The current attack does _not_ use source routing; the acknowledgements are
never seen by the attackers.  It wasn't mentioned in your recent letter, but
they are _not_ hijacking an existing connection, either.  Almost everybody
I've talked to has assumed that source routing is used and an existing
connection must be hijacked.  Neither is correct in this attack.  I made
this assumption too, and "got corrected". :-)

Dunno why the assumptions are so prevalent, but I assume we all read them
in to some paper on the subject.  In this case, the attackers start a new
connection, and other than the initial probe, complete the attack entirely
in the blind.

As has been pointed out, only network or
transport-level encryption will entirely block these attacks.


That's correct.  That and teach people the difference between identification
and authentication.

        Jim

Current thread:

Router filtering not enough! (Was: Re: CERT advisory ) Rens Troost (Jan 24)
- Sequence number spoofing, SunOS der Mouse (Jan 24)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Rens Troost (Jan 24)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Christian Wettergren (Jan 24)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Jim Duncan (Jan 24)