> FWIW, I've been trying to figure out how they could prevent session
> hijacking without encryption on the Internet and haven't come up with
> a solution yet. While it is an interesting mental exercise, I admit
> that I'm intrigued and very curious how they do it (assuming the claim
> is accurate).
This makes me curious too. Since the ways to stop IP Spoofing are
encryption, TCPWrappers (or something simialr), and random sequence numbers.
We've ruled out encryption for this example. TCPWrappers, well the info
*IS* coming over the same physical wire, so...
Since it is an active sniffing attack randomizing the sequence numbers
would not really do a damn thing.
This is tough, since we can really predict bit for bit what the headers
of the ACK packet that we need to send are...