OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archives: RE: IP Spoofing.

RE: IP Spoofing.


Robert Graham (robert_david_grahamyahoo.com)
Thu, 30 Sep 1999 20:14:46 -0700 (PDT)


Many years ago, Shimomura posted an account of this to the NetSys firewall
mailing list. It was fascinating reading, so I put a copy on my site. A link to
it is here:

http://www.robertgraham.com/mirror/shimomura-spoofing.html

The IP spoofing carried out wasn't to "anonymize" the activity, but simply to
subvert a trust relationship with an X terminal. It used TCP seqno prediction
and a sort of SYN flood against the spoofee to prevent it from tearing down the
connection. It really was the "classic" spoofing attack.

The detection of who it was involved simply looking back through the router
logs. For ISN prediction to work, you have to get the ISN. It's fairly easy to
track back who retrieved the ISN previous to the one being predicted.

Rob.

--- Rick Smith <rick_smithsecurecomputing.com> wrote:
> At 09:08 PM 9/29/99 -0700, Kurt Buff wrote:
>
> >Chapter 1 describes Mitnick's compromise of Shimomura's system via Syn
> >flooding and IP spoofing.
>
> When working on Internet Cryptography, one reviewer challenged me on a
> third hand report I included of Mitnick's activities. Does anyone have a
> reference that explicitly ties Shimomura's penetration to Mitnick? Is that
> in Shimomura's book? ("Takedown" ??)
>
> I admit I've been trying to avoid Shimomura's book since reports made it
> sound too much like James Bond wannabe stuff. On the other hand, I really
> enjoyed Victor Sheymov's "Tower of Secrets," and that's probably just a
> compendium of every cool story he'd ever heard that was unlikely to be in
> US reports (plus, I suppose, the story of his CIA sponsored escape).
>
>
> Rick.
> smithsecurecomputing.com
> "Internet Cryptography" at http://www.visi.com/crypto/
>
>

=====
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com



This archive was generated by hypermail 2.0b3 on Fri Oct 01 1999 - 18:12:48 CDT