Re: Blind IP Spoofing Attacks.

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Aleph One: "Re: address spoof/no return packets"
• Previous message: John Evans: "Re: Hijacking tool"
• In reply to: Timothy Newsham: "Blind IP Spoofing Attacks."
• Next in thread: Justin Mason: "Re: Blind IP Spoofing Attacks."

Timothy Newsham says:
>   Just wanted to discuss a minor point in the CERT and other
> advisories.  They mention that NFS and Sun RPC in general are
> vulnerable to the sequence number attack.  It is true that
> nfs and other rpc's do rely on IP address for authentication
> but I dont see how they are vulnerable to an attack.  You
> need to see the reply in order to get a filehandle in order
> to do anything with nfs.  As for Sun RPC, it doesn't trust
> any host as its just a tool for writing protocols.  Are
> there other RPC protocols which are vulnerable to this
> attack?  Am I overlooking something about NFS?  Did someone
> just put 2 (fake source IP) and 2 (protocol relies on IP
> for authentication) together and get 3 (NFS is vulnerable
> to this attack)?

Solaris 2.X has "fixed" source routes so that they work, and has RPC
over TCP, including NFS over TCP. That means that you could indeed
make some nasty uses of IP spoofing in conjunction with NFS.

Myself, I consider NFS to be highly insecure and always advice clients
to hide it behind application level firewalls.

Perry

• Next message: Aleph One: "Re: address spoof/no return packets"
• Previous message: John Evans: "Re: Hijacking tool"
• In reply to: Timothy Newsham: "Blind IP Spoofing Attacks."
• Next in thread: Justin Mason: "Re: Blind IP Spoofing Attacks."