> As far as i know what happens is this...
> 1) The Attacker gains the IP of the trusted client.
> 2) The Attacker the changes his IP address (the source address) to that of
> the trusted client
> 3) the Attacker then renders the Trusted Client inoperative, mainly a port,
> using a SYN flood method.
> Usually a port like the rexec would be best.
> 4) Then the attacker sends a request for connection to that port on the
> Target Server, this is all blind
> because the packets that are sent back do not make it to its destination
> (we've disabled the port).
> 5) Because it is all blind the attacker must know the exact actions that
> occur during this activity.
Not only this. The attacker must discover what inicial sequence number the
attacked host has chosen to establish the connection. Since this number has 2^32
possible values it's nearly impossible to guess it. This is what makes this
kind of attack very difficult to be sucessfull.
In some early implementations of TCP/IP for *nix (and for some X Terminals)
the inicial sequence number wasn't a random number, but simply a number that
was incremented by 1 on every connection. In this case it's trivial to guess
what the next number will be. (the legendary attack from Kevin Mitnick to
Shimomura's machine was based on this flaw)
> Usually the attacker will send a command that will enable another method of
> As far as i know thats how its done.....but i have been known to be wrong
> M/D NetWorx Pty Ltd
> leon @
Rodrigo de La Rocque Ormonde
e-mail: ormonde @
PGP Public key: finger ormonde @