Jeff LaCoursiere writes:
> Just got the advisory and it makes me a bit nervous. We are
> currently using appropriate filters on both internal and
> external routers of our screened gateway, so I am not too
> worried about the spoofing bit. But the hijacked connections
> make me wonder....
The way I read the advisory (I'm sure I'll hear about it if I'm
wrong :-)), the "hijacking" happens only once the bad guys have
a program running as root on your machine. IP spoofing as
described by Bellovin may be used to break in in the first
place, and install the "hijacker" program. The "hijacker"
program then just pokes the kernel as follows (one example):
look for an established TCP session with local port 23 (i.e., a
telnet session), and replace the peer address and next expected
sequence number in the TCP connection block.
Such a hijacking program is not hard to write. This would appear
to be an instance of the general principle that once they're root
on your firewall machine, you're screwed.
Flying Fox Computer Systems, Inc.