Re: IP spoofing vs tcp wrappers and netacl

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Rens Troost: "Re: Router filtering not enough! (Was: Re: CERT advisory )"
• Previous message: Oliver Friedrichs: "Re: Hijacking tool"
• In reply to: Christopher Klaus: "Re: IP spoofing vs tcp wrappers and netacl"
• Next in thread: Darren Reed: "Re: IP spoofing vs tcp wrappers and netacl"

Christopher Klaus says:
> > Christopher Klaus says:
> > > Probably the best way to prevent IP spoofing attacks is to turn off all
> > > ip-based authenication services, ie rsh, rlogin are the main ones.
> > 
> > Insufficient. If you can see at least part of the packet stream, you
> > can session-steal. This makes a mockery of things like S/Key.
> 
> If you have an attacker that is listening to your packet stream, you
> have more serious problem than just IP spoofing attacks.

Well, I'm afraid that judicious use of the protocols can under some
circumstances be enough knock just a couple of packets your way if you
are pretty sure a link exists, and thats all you need to steal the
connection. Given the way that the internet works, this is a problem
for anyone traversing a firewall with a system like SNK, S/Key, Secure
ID, or whatever, because their session could be hijacked after the fact.

> The only long-term solution that would adequately fix many of these
> problems is cryptography being implemented in authenication and encrypting
> all network traffic.

That is indeed the case. As I've noted, see draft-metzger-* in the
nearest internet drafts directory for details on how to do that. I
should be releasing an implementation for 4.4BSD kernels under a
Berkeley style copyright.

Perry

• Next message: Rens Troost: "Re: Router filtering not enough! (Was: Re: CERT advisory )"
• Previous message: Oliver Friedrichs: "Re: Hijacking tool"
• In reply to: Christopher Klaus: "Re: IP spoofing vs tcp wrappers and netacl"
• Next in thread: Darren Reed: "Re: IP spoofing vs tcp wrappers and netacl"