On Jan 5, 8:35am, system PRIVILEGED account wrote:
> Subject: Re: spoofing TCP/SYN packets?
>
>
> On Tue, 13 Dec 1994, david r coelho wrote:
>
> > My first line of defense for our network uses a router to filter
> > out all new TCP sessions (e.g. with SYN). We let in all established
> > sessions, and then do additional filtering with a firewall. The
> > idea is that the router lets anything go out, but only lets
> > established sessions come in.
> >
> > My question is, is there a vulnerability whereby the established
> > incoming TCP packet could be used to open a new TCP session
> > (say login, telnet, etc) or is the unix (SunOS in my case) kernel
> > tight enought to reject these packets.
> >
> It would seem to me that if one host C were to snoop an active telnet
> session say, between hosts A and B, grab a string of frames, spray the
> recieving host B momentarily, then repeatedly spray host A (or knock down
> host A by some other means) while resending the copied string of frames
> and adding to them whatever one would like while also keeping the packet
> signatures the same -- that whomever is behind host C could become
> the new active session in place of A.
>
> If the preceding BS is true, then what can any kind of firewall SW/HW
> do to detect such an intrusion, short of encrytion strategies?
>
> Will FWTK detect such an intrusion?
>
>
What you describe are the classic man-in-the-middle and/or packet sequence
numbering attacks.
Without encryption, you're screwed.
Al
--
----------------------------------------------------------------------------
Alastair Young _ This vehicle incapable
Cadence Design Systems, Information Services )/___ _
555 River Oaks Parkway, 4B1 __/(___)_*##/c of evading low
San Jose CA 95134 Fax: (408)894-3487 / /\\|| \ / \
alastair @
cadence .
com (408)428-5278 \__/ ----'\__/ speed pursuit!
----------------------------------------------------------------------------
These statements and opinions are mine, not those of Cadence Design Systems
References:
|
|
