> > >They mention that NFS and Sun RPC in general are > >vulnerable to the sequence number attack. It is true that > >nfs and other rpc's do rely on IP address for authentication > >but I dont see how they are vulnerable to an attack. You > >need to see the reply in order to get a filehandle in order > >to do anything with nfs. > > If you can guess the filehandle, you don't need the reply > packet. why would anyone do this with TCP sequence number guessing where the fake connections can only be made for a small fraction of total attempts when they can spoof udp 100% of the time? > Also, using rsh to do 'echo "+ +" > /.rhosts' would be a hell of > a lot easier... ;) This is the only viable attack with sequence numbers I can think of, and it relies on a hosts.equiv or .rhosts already being in place. > --j.