Bugtraq mailing list archives

Loaded system no protection.

From: bicknell () ussenterprise async vt edu (Leo Bicknell)
Date: Fri, 27 Jan 1995 16:03:45 -0500 (EST)


        Several people have already pointed out to me that a loaded
system is no protection from the IP spoofing attack, since a hacker
can just wait until the machine is less loaded.

        I do not consider a loaded system protection, I mearly want
to know if it would signifigantly decrease the attackers odds.  To
date I have heard figures about guessing that all seem to assume
you can pretty much gaurantee two sequential connections to a machine.
In this case I have seen odds from 1 in 2, up to 1 in 10,000.  
(Since you also have to get the time interval right, which on a
loaded _network_ will be more difficult).  

        It would not surprise me if you had two machines on a
single cable, both doing nothing that you could easily get in
1 out of every two tries.  At the same time it also seems that
if you have a busy machine on a busy network you're closer to 
the 1 in 10,000 figure, if not (much?) higher.

        This is important to people who want to try and track this.
Say for instance you were to log every packet that goes by (as I'm
told some places do).  Now, if the attacker has a 1 in 2 chance you
might very well be looking for a single packet...a needle in a
haystack if you will.  If it's a 1 in 10,000 chance an automated
system might notice 4-5,000 more or less identical packets comming
from somewhere.

        I by no means want a loaded system to be my security, and that
wasn't really what my origional query was about.  I'm more interested
in how easy this really is to do, and being short of time like most
people are I don't want to write a program to do it, and then run
10,000 tests on it to see how many times I get in.  I suppose I was
hoping someone would have already done this and be able to share some
results.

-- 
Leo Bicknell - bicknell () vt edu                     | Make a little birdhouse
               bicknell () csugrad cs vt edu          | in your soul......
               bicknell () ussenterprise async vt edu | They Might
http://ussenterprise.async.vt.edu/~bicknell/       | Be Giants

Current thread:

Re: Router filtering not enough! (Was: Re: CERT advisory ) Dave Mitchell (Jan 26)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Jonathan M. Bresler (Jan 26)
- <Possible follow-ups>
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Jon Peatfield (Jan 26)
  - Re: Router filtering not enough! (Was: Re: CERT advisory ) Paul Traina (Jan 26)
    - Would an encrypted tunnel solve the SeqNo guessing attack? Bennett Todd (Jan 26)
    - Re: Would an encrypted tunnel solve the SeqNo guessing attack? Mark (Jan 26)
    - Loaded system no protection. Leo Bicknell (Jan 27)
    - Re: Would an encrypted tunnel solve the SeqNo guessing attack? Marc Tamsky (Jan 27)
    - Re: Would an encrypted tunnel solve the SeqNo guessing attack? Paul Robinson (Jan 27)
    - Very Confused!! Mohamad A Khatoun (Jan 27)
    - Notes from Tsutomo's Talk Michael B. Dilger (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Pete Shipley (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Jon Peatfield (Jan 27)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Aleph One (Jan 31)
  - Re: Router filtering not enough! (Was: Re: CERT advisory ) Daniel O'Callaghan (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Jonathan M. Bresler (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Brian J. Murrell (Jan 26)

(Thread continues...)