Bugtraq mailing list archives

Re: Blind IP Spoofing Attacks.

From: newsham () aloha net (Timothy Newsham)
Date: Wed, 25 Jan 1995 10:04:18 -1000 (HST)

They mention that NFS and Sun RPC in general are
vulnerable to the sequence number attack.  It is true that
nfs and other rpc's do rely on IP address for authentication
but I dont see how they are vulnerable to an attack.  You
need to see the reply in order to get a filehandle in order
to do anything with nfs.


If you can guess the filehandle, you don't need the reply
packet.


why would anyone do this with TCP sequence number guessing where
the fake connections can only be made for a small fraction of
total attempts when they can spoof udp 100% of the time?

Also, using rsh to do 'echo "+ +" > /.rhosts' would be a hell of
a lot easier... ;)


This is the only viable attack with sequence numbers I can think
of, and it relies on a hosts.equiv or .rhosts already being
in place.

--j.

Current thread:

Blind IP Spoofing Attacks. Timothy Newsham (Jan 24)
- Re: Blind IP Spoofing Attacks. Perry E. Metzger (Jan 24)
- <Possible follow-ups>
- Re: Blind IP Spoofing Attacks. LaCoursiere J. D. (Jan 24)
  - Re: Blind IP Spoofing Attacks. Casper Dik (Jan 25)
- Re: Blind IP Spoofing Attacks. Justin Mason (Jan 25)
  - Re: Blind IP Spoofing Attacks. Timothy Newsham (Jan 25)
- Re: Blind IP Spoofing Attacks. der Mouse (Jan 25)
  - Re: Blind IP Spoofing Attacks. Timothy Newsham (Jan 25)