Re: IP Spoofing questions

From: David Schlecht (dschl_at_earthlink.net)
Date: 03/08/04 

Date: 8 Mar 2004 09:15:52 -0800

Thanks for the reply.

However, I still wonder if IP spoofing is possible with a good random
sequence? Doesn't spoofing (blind spoofing) require correctly guessing
the right sequence number?

Also, your comments regarding the futility of reporting hack attempts
if they're automated seems odd. If my host is hacked and being used to
pursue futher break-ins, I would hope that someone would let me know.
Hence, I would think that most hostmasters would appreciate being
informed of the problem. Or -- is this just foolish thinking on my
part?

-Dave

roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote in message news:<c2fq54$ciu$1@canopus.cc.umanitoba.ca>...
> In article <5f16df6b.0403070759.5565fc91@posting.google.com>,
> David Schlecht <dschl@earthlink.net> wrote:
> :Is IP Spoofing still a risk if our server has good TCP sequence number
> :randomization?
>
> Yes. It's easier to blow down a straw hut, but the brick hut still
> has to worry about bulldozers.
>
>
> :We get numerous CGI attacks that I'm interested in reporting but don't
> :know how much I can rely on our server logs source IP field.
>
> If these are automated attacks, then I'm sorry to say that your
> reports are likely going to be more or less ignored by most sites.
> There's just so *many* of such attacks -- it's like trying to to file
> a police report every time anyone calls in saying "I saw a person in
> a black shirt drop a candy wrapper!"
>
> If these are for selective attacks where there was some intelligence
> put into you as a target (e.g., you can show a progression of probes where
> they learned more about your defences and tried more specific attacks) then
> you might be able to get somewhere with authorities. But I should warn
> you that unless you have very good evidence lined up, "forensic quality"
> [i.e., will stand up in court], then *in practice* you are probably
> around 400000'th in line unless you can demonstrate that more than $10,000
> (better yet, $25,000) of real damage was done... damage that excludes the
> cost of cleaning up your systems afterwards.
>
> It is not a good state of affairs, to be sure.

Relevant Pages

  • Re: newish style of formmail attempts
    ... Spoofing was my first thought, but formmail is a CGI script, ... to predict the TCP sequence numbers hundreds of times over a few hours. ... behaviour in order to be able to spoof the packets as an "inside job". ...
    (comp.security.misc)
  • Re: IP Spoofing questions
    ... Doesn't spoofing require correctly guessing ... :the right sequence number? ... My network is now targetted by more than 1 million connection attempts ... which is 13 8/9 days of solid reading -- per day of system ...
    (comp.security.misc)
  • RE: Spoofed scans
    ... Sequence numbers would not be as ... target ADENA for an open TCP port 22. ... His plan is to get relative sequence numbers from PATSY while ... /* A couple of words on spoofing should be mentioned. ...
    (Incidents)
  • Re: [Full-disclosure] info on ip spoofing please
    ... My question is How can you sniff packets on a link that your machine is NOT ... The two more common methods for performing MITM attacks are ARP spoofing ...
    (Full-Disclosure)
  • Re: How to determine TCP/IP pack source IP spoofing?
    ... The links below does a good job at describing packet spoofing which is used ... to create denial of service attacks or man in the middle and sessions ... Those type of attacks are basically ...
    (microsoft.public.windowsxp.security_admin)
Quantcast