Re: RE: Session & IP Spoofing
From: Frank Knobbe (frank_at_knobbe.us)
Date: 12/05/03
- Previous message: Micheal Thompson: "RE: RE: Session & IP Spoofing"
- In reply to: Nexus: "Re: RE: Session & IP Spoofing"
- Next in thread: Rob Shein: "RE: RE: Session & IP Spoofing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Nexus <nexus@patrol.i-way.co.uk> Date: Thu, 04 Dec 2003 18:41:09 -0600
On Thu, 2003-12-04 at 09:46, Nexus wrote:
> But you would also need to spoof the TCP 3-way handshake before you can even
> send the HTTP GET request, which is um..... non-trivial ;-)
I thought that IIS servers don't need the 3-way handshake. Isn't IE
cheating by trying to send regular ACKed data packets in order to speed
up the connection with the IIS webserver? (and falls back to TCP 3-way
when it doesn't get a response, as is pretty much the case with all
standards abiding web servers).
So IIS servers may be more vulnerable against those spoofing attacks
then, say, Apache servers.
(and if that is the case -- testing required here -- then it's just
another one of those situations where Microsoft ignores a standard,
tries to cheat in favor of performance, and gets bitten with a
vulnerability in the end...)
Regards,
Frank
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Micheal Thompson: "RE: RE: Session & IP Spoofing"
- In reply to: Nexus: "Re: RE: Session & IP Spoofing"
- Next in thread: Rob Shein: "RE: RE: Session & IP Spoofing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
