On Sat, 25 Nov 1995, Frank Willoughby wrote:
> The TCP Sequence Number Prediction Attack (SNPA) relies on a somewhat
> similar technique where Bad Guy monitors the firewall traffic for a useful
> session
> (telnet, ftp, etc.). When the Bad Guy notices that Outside System A is
> telneting in to Inside System C, the Bad Guy will wait until the user on A
> has logged into Inside System C and then take over that session.
You have wrong name for this attack. Connection hijacking has a lot
to do with TCP sequence numbers, but name "TCP Sequence Number Prediction"
describes totally different attack.
"Node Spoofing" means how to act as another host. To do this
over router network you have to master "TCP Sequence Number Prediction".
(Shimomura was attacked using this technique). This attack is
described in "Security Problems in TCP/IP Protocol Suite":
<http://www.research.att.com/dist/internet_security/ipext.ps.Z>
See also <http://www.engarde.com/software/seqnum.html>
When you wan to take over existing connection, you have to do "Connection
Hijacking" or "TCP Splicing". To see how this works, check out
document "Simple Active Attack Against TCP":
<http://www.merit.edu/routing.arbiter/RA/security/
VK
--
Vesa Keinanen Nasilinnankatu 24 D, 33210 Tampere, Finland
Relevantum Oy Phone +358 31 2147200, Fax +358 31 2147402
References:
|
|
