OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Can a port be spoofed?

Re: Can a port be spoofed?


Chris Brenton (cbrentonsover.net)
Sat, 03 Oct 1998 00:10:28 -0400


twalls - Troy Walls wrote:
>
> If a customer opens a dedicated port in their firewall and looks for a
> dedicated port from my firewall, is it likely to be spoofed. What is
> the level of difficulty?

I assume you are talking about a tunnel? A posture that accepts inbound
traffic from only a specific IP address to a specific port number?

If so, this is classic man-in-the-middle. Since the IP address and port
does not change, all an attacker has to find is the sequence numbers. I
believe the archives of this list has quite a bit on doing sequence
number prediction. The attacker would also need to known what kind of
data needs to be injected but they may be able to derive this from the
port number used, the contents of the data stream if encryption is not
used, or via brute force attack.

So the short answer is yes it is possible, but don't expect to see this
attack originating from grade-school.edu. ;)

The big question is whether there is anything on the other side of the
firewall that would make it worth someone's while to go through this
attack? This is a typical risk assessment issue.

Cheers,
Chris

-- 
**************************************
cbrentonsover.net

* Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529 * Mastering Network Security http://www.amazon.com/exec/obidos/ISBN%3D0782123430/002-0346046-8151850



This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:55 CDT