LISTSERV - HP3000-L Archives

HP3000-L Archives

April 1996, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L April 1996, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Re(2): Internet HP3000 security issues
From:	Jeff Kell <[log in to unmask]>
Reply To:	Jeff Kell <[log in to unmask]>
Date:	Sun, 21 Apr 1996 15:19:47 EDT
Content-Type:	text/plain
Parts/Attachments:	text/plain (25 lines)

This is just another variation on the source spoofing scheme.  The most
recent variations I'm aware of are:
 
* straight spoofing:  you can "establish" a connection by spoofing the
  source IP address, sending the SYN, and guessing the ACK sequence
  number (can be done if you can establish any connection such as FTP/SMTP
  to get the current sequence number).  Once connection established, you
  can get off a few packets before losing sequence number sync.
 
  - so be sure "outbound" packets on an interface don't originate from
    that interface's address range, and/or
  - insure no incoming packets from other interface(s) don't originate
    from the protected interface (as applicable)
 
* router filter "established" connection filter modifier.  cisco and some
  others allow low-overhead filtering by permitting established connections
  to bypass filtering overhead.  This was broken not long ago by submitting
  a fragmented packet, and the re-assembled packet propagated the "connection
  established" header.  Fixed in cisco rev 10.2 or thereabouts.
 
  - disable "established" keyword if you have the router processor overhead
    to spare
 
Jeff Kell <[log in to unmask]>

ATOM RSS1 RSS2

RAVEN.UTC.EDU