Firewalls: Re: Spoofing... How does it work.

Firewalls
(November 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Spoofing... How does it work.
From:	"Leon O'Brien" <leon @ networx . com . au>
Date:	Mon, 4 Nov 1996 22:45:03 +1100
To:	<sherod @ medeserv . com . au>, <Firewalls @ GreatCircle . com>

Well if i understand correctly i would say that the telstra guys have it
wrong...

As far as i know what happens is this...

1) The Attacker gains the IP of the trusted client.
2) The Attacker the changes his IP address (the source address) to that of
the trusted client
3) the Attacker then renders the Trusted Client inoperative, mainly a port,
using a SYN flood method.
    Usually a port like the rexec would be best.
4) Then the attacker sends a request for connection to that port on the
Target Server, this is all blind 
because the packets that are sent back do not make it to its destination
(we've disabled the port).
5) Because it is all blind the attacker must know the exact actions that
occur during this activity. 

Usually the attacker will send a command that will enable another method of
entry.

As far as i know thats how its done.....but i have been known to be wrong
:-)

Leon
M/D NetWorx Pty Ltd
leon @
 networx .
 com .
 au

----------
> From: Steven Herod <sherod @
 medeserv .
 com .
 au>
> To: Firewalls @
 GreatCircle .
 com
> Subject: Spoofing... How does it work.
> Date: Monday, 28 October 1996 17:54
> 
> Hi, this text came from a Telstra Security Paper as explaination
> of Spoofing.  What I don't understand is step 5
> 
> >1.the attacker would change her host's IP address to match that of the
>trusted client, 
> >
> >2.the attacker would then construct a source route to the server that
>specifies the direct path the IP packets should take to the server and
>should take from the server back to the attacker's host, using the
> >trusted client as the last hop in the route to the server, 
> >
> >3.the attacker sends a client request to the server using the source
>route, 
> >
> >4.the server accepts the client request as if it came directly from the
>trusted client and returns a reply to the trusted client, 
> >
> >5.the trusted client, using the source route, forwards the packet on to
>the attacker's host. 
> 
> If the attacker's host and the trusted client both have the same IP
> address, Wouldn't the trusted client receive the packet and
> process it, regardless of it's source routing options, rather
> than passing it on?  What am I missing?
> 
> TIA
> Steven Herod
> sherod @
 medeserv .
 com .
 au

Follow-Ups:

Re: Spoofing... How does it work.
From: ormonde @ trem . cnt . org . br (Rodrigo Ormonde)

Indexed By Date	Previous:	Re: From: Jean-Francois Zwobada <zwobada @ apogee-com . fr>
Indexed By Date	Next:	Re: NCSA membership From: "Charles L. Johnson" <charlesj @ iquest . net>
Indexed By Thread	Previous:	Spoofing... How does it work. From: Steven Herod <sherod @ medeserv . com . au>
Indexed By Thread	Next:	Re: Spoofing... How does it work. From: ormonde @ trem . cnt . org . br (Rodrigo Ormonde)