Re: NYT Article this morning

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Christopher Klaus: "Cert Advisory Spoofing"
• Previous message: Perry E. Metzger: "I would suggest..."
• Maybe in reply to: Rens Troost: "NYT Article this morning"

>> NYT repports this morning that 'IP Spoofing' is being used to
>> subvert sites.  Anybody have details?
> Yes.  Its far worse than mere IP spoofing -- that would only get you
> in to places which stupidly trust things like .rhosts files.  The
> Times did not accurately describe the scope of the problem.  This is
> a Very Bad Problem.  People should legitimately worry about this one.

> [...was told on condition of nondisclosure...]

I don't know what the problem in question is.  But I just today spoke
with someone freshly back from Usenix, who told me that someone is
finally taking advantage of most hosts' lack of randomness in choosing
sequence numbers for TCP connections.  (If you can guess the sequence
number chosen by the other end of the host, you can create a half-open
connection; if the other end's replies are predictable enough, you can
carry on a complete conversation.  All without ever getting any packets
back.  SMTP is an example of a service that will often suffer from
this.)

This sounds to me like a serious problem.  The only real fix is to make
sure that your sequence numbers _are_ strongly random, which without
source is difficult at best.

As a weak defense, you can make sure that the server->client messages
for your TCP services vary in length, so as to make it impossible to
carry on a complete conversation without seeing the packets.  I'm
certainly going to do this to my SMTP server....

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu

• Next message: Christopher Klaus: "Cert Advisory Spoofing"
• Previous message: Perry E. Metzger: "I would suggest..."
• Maybe in reply to: Rens Troost: "NYT Article this morning"