Re: Router filtering not enough! (Was: Re: CERT advisory )

jimmath.psu.edu

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Darren Reed: "Re: IP spoofing vs tcp wrappers and netacl"
• Previous message: Jim Duncan: "Re: Hijacking tool"
• In reply to: Rens Troost: "Router filtering not enough! (Was: Re: CERT advisory )"

Rens Troost writes:
> This does not require spoofing or
> rource-routing, although the current attackers seem to be using
> spoofing and source routing, count on them to start using more
> pernicious methods soon.

The current attack does _not_ use source routing; the acknowledgements are
never seen by the attackers.  It wasn't mentioned in your recent letter, but
they are _not_ hijacking an existing connection, either.  Almost everybody
I've talked to has assumed that source routing is used and an existing
connection must be hijacked.  Neither is correct in this attack.  I made
this assumption too, and "got corrected". :-)

Dunno why the assumptions are so prevalent, but I assume we all read them
in to some paper on the subject.  In this case, the attackers start a new
connection, and other than the initial probe, complete the attack entirely
in the blind.

> As has been pointed out, only network or
> transport-level encryption will entirely block these attacks.

That's correct.  That and teach people the difference between identification
and authentication.

	Jim

• Next message: Darren Reed: "Re: IP spoofing vs tcp wrappers and netacl"
• Previous message: Jim Duncan: "Re: Hijacking tool"
• In reply to: Rens Troost: "Router filtering not enough! (Was: Re: CERT advisory )"