[Previous] [Next] [Index]
[Thread]
Re: Restrictions group without ask for the password
On Sat, 27 Apr 1996, Eric Wieling wrote:
> Some time ago Adam Shostack said:
>
> > The essence of the answer is that IP is designed to route
> > packets, not to provide for authentication. There are attacks where a
> > host acts as a router, so that packets appear to come from that host
> > A, when in fact they come from host B.
> >
> > Further, you don't want to give information to computers, you
> > want to give information to the users of those computers. You thus
> > want to make the user do something, such as type in a password, or
> > demonstrate their posession of a token, that gives some evidence that
> > they are authorized.
> >
> > There are many articles on the web on IP spoofing.
>
> I'm not an expert in the matter, but I wonder how ACK packets and
> return data gets back to the machine doing the IP spoofing? I would
> assume that it would tough to say the least with things like source
> routing turned off in the router connecting your network to the
> Internet.
In at least one attack, the ACK packets don't get back to the host doing
the spoofing - and you don't necessarily need any return data, to append
a line to /.rhosts.
The attacking host doesn't need to get the ACKs - tho it would make the
timing easier (the attack becomes a more-or-less synchronous process,
really).
A more serious problem for the attacking host, is the possibility of the
host it's trying to spoof receiving the ACKs, and getting involved in the
handshake.
One way of dealing with this is for the cracker to wait until the spoofed
host is down. Another is to mix in a denial of service attack -
feed the spoofed host full of an overwhelming number of packets, so it's
too busy to respond to the ACKs. By the time the spoofed host catches up
(or, better for the attacker, if the ACKs are dropped on the
floor...), it doesn't matter anymore.
References: