Rens Troost writes: > This does not require spoofing or > rource-routing, although the current attackers seem to be using > spoofing and source routing, count on them to start using more > pernicious methods soon. The current attack does _not_ use source routing; the acknowledgements are never seen by the attackers. It wasn't mentioned in your recent letter, but they are _not_ hijacking an existing connection, either. Almost everybody I've talked to has assumed that source routing is used and an existing connection must be hijacked. Neither is correct in this attack. I made this assumption too, and "got corrected". :-) Dunno why the assumptions are so prevalent, but I assume we all read them in to some paper on the subject. In this case, the attackers start a new connection, and other than the initial probe, complete the attack entirely in the blind. > As has been pointed out, only network or > transport-level encryption will entirely block these attacks. That's correct. That and teach people the difference between identification and authentication. Jim