[Fwd: Re: IP Spoofing.]

["Peter J. Kunz" <pkunz () icu unizh ch>]

Here's an old reply...

-------- Original Message --------
Subject: Re: IP Spoofing.
Date: Thu, 30 Sep 1999 16:56:31 +0200
From: "Peter J. Kunz" <pkunz () icu unizh ch>
To: Randy Witlicki <randy.witlicki () valley net>
CC: Carric Dooley <carric () com2usa com>,
petro () atypon com,firewall-wizards () nfr net
References: <v04205502b4089b713655@[10.1.1.212]>
<l03130300b41718e50702@[198.115.164.57]>



Randy Witlicki wrote:
>   In the original blind IP spoofing (Mitnick, etc.) you had two
> big holes:
>    - Predictable initial TCP sequence numbers, and;
>    - Trust (as in /.rhosts) with no security perimeter.
>   In the classic way of doing it, you do a  "echo X.X.X.X > /.rhosts"
> as an rsh command in blind IP spoofing and then your host (X.X.X.X) is
> now trusted and you are free to rlogin, etc. (assuming there
> is no security perimeter).

Uhm, wouldn't you need access authority to have rsh work on the remote
host?...

>   In a prudent setup with both cryptographically strong initial
> TCP sequence numbers (you don't need OpenBSD here, but it helps), and
> a good security perimeter, you should be immune from the "classic" attack.

I notice in nmap there are different values for TCP prediction. Anyone
care to elaborate what teh different techniques are and why guessing on
some is harder than others (apart from crypto, of course :-)) )?

Btw, on what kinds of number prediction does that network tool for
Solaris work on - I think it's IP-Watch. It allows you to hijack a TCP
session.

> > > Could anyone provide me with a link or pointer to information that I
> > > could use to prove him wrong, or to information that proves me wrong?

Bellovin's '89 or '93 paper (Computer Communications Review, perhaps at
att.com) or Morris's '85 paper
http://www.eecs.harvard.edu/~rtm/papers.html


cu
-pete