Firewalls: Re: Hijak detection

Firewalls
(November 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Hijak detection
From:	"Paul D. Robertson" <proberts @ clark . net>
Date:	Wed, 5 Nov 1997 09:29:15 -0500 (EST)
To:	Adam Shostack <adam @ homeport . org>
Cc:	Frank Willoughby <frankw @ in . net>, firewalls @ GreatCircle . COM
In-reply-to:	<199711050809 . DAA01853 @ homeport . org>

On Wed, 5 Nov 1997, Adam Shostack wrote:

> The point that (doy?) made is that session hijacking produces a flood
> of shit as you jam in packets in the hopes of getting the numbers
> right.  (Since the other guy is transmitting at the same time as you,
> you often send a slew of packets, to get them into the stack first.)
> There are a number of papers on detecting this sort of thing, many
> published in the months after Tsutomo was hacked.

Even in an ideal hijack, you'd see traffic from the attacker and the
victim at the same time, one would suppose you could alert on that even if
the attacker was sniffing sequence numbers instead of guessing them.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts @
 clark .
 net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

Follow-Ups:

NT Server Security
From: jonathan tobin/DBK <dyabolyk @ dyabolyk . com>

References:

Re: Hijak detection
From: Adam Shostack <adam @ homeport . org>

Indexed By Date	Previous:	Re: Hijak detection From: Adam Shostack <adam @ homeport . org>
Indexed By Date	Next:	RE: why use a smtp proxy From: Joseph Judge <joej @ joesmac . ultranet . com>
Indexed By Thread	Previous:	Re: Hijak detection From: Darren Reed <avalon @ coombs . anu . edu . au>
Indexed By Thread	Next:	NT Server Security From: jonathan tobin/DBK <dyabolyk @ dyabolyk . com>