On Mon, Jan 29, 2001 at 12:33:03PM +0000, thomas lakofski wrote: > On Wed, 24 Jan 2001, Mark Suter wrote: > > > The only way under IPv4 be safe from spoofing is for everyone to > > implement proper Network Ingress Filtering [RFC2827, BCP0038] on > > their networks. Please, read this RFC. > > > > http://www.faqs.org/rfc/rfc2827.txt > > bah. all this talk about portsentry being dangerous forgets that you can also > run it so it only triggers after a full TCP connect. while not un-spoofable, > it's very hard for an attacker to spoof as they have to be in-line between > your > host and the host they're trying to spoof. plus, they'll have a task guessing > sequence numbers.
Not true. To spoof a TCP connection, you need to guess the initial sequence number, and you need to stop RST packets from the spoofed host from reaching the host under attack, or else the host under attack will reset the TCP connection. If you are in-line with the host under attack, you can see the return traffic, and then you don't need to guess at the sequence number even. You will be able to block the return traffic from ever reaching the spoofed host. However, another way to accomplish the blocking is to DoS the spoofed host. I don't remember where I read this, either in an RFC, or in the book "Practical Unix and Internet Security". -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
