[NTLUG:Discuss] Re: How does 'ip address spoofing work'?

Jerry Haltom wasabi at larvalstage.net
Tue Jul 8 00:36:30 CDT 2003


Never say never. There are some extremely complex TCP sequence id
predictors out there. Basically, the spoofing computer only has to
"guess" at the response, and keep sending packets, with a little delay
between them. For a recent linux kernel, we are talking majorly hard
though.

On Sun, 2003-07-06 at 23:28, Vaidya, Harshal (Cognizant) wrote:
> Now that you are attacked the only thing coming to my mind is to suggest
> you to change the passwords regularly to beat all their attempts to
> guess the passwords.
> 
> If possible, you can deny all these 180 public proxy IP addresses to
> your server.
> 
> .. Just a thought.
> 
> Thanks and Regards,
> Harshal.
> 
> -----Original Message-----
> From: David [mailto:david at hayes-family.org] 
> Sent: Sunday, July 06, 2003 7:45 AM
> To: NTLUG Discussion List
> Subject: Re: [NTLUG:Discuss] Re: How does 'ip address spoofing work'?
> 
> 
> On Sat, Jul 05, 2003 at 01:00:41PM -0500, Jack Snodgrass wrote:
> > something I hadn't thought of.... I checked several of
> > the IP Addresses on Goggle. These IP Addresses are
> > public proxy servers. So... the hacker just sends his
> > request through the proxy server and hides his tracks
> > even more. 
> 
> Your probably more on target here.  Your log records are showing URLs
> requested.  That can't happen until the third packet of a TCP session --
> SYN; SYN-ACK; then first data packet.  For you to see URLs in your log
> files, you know that there must have been a bidirectional exchange of
> packets.  That's exceedingly difficult to do while spoofing the source
> address.  In fact, it can't be done, unless the system doing the
> spoofing is somewhere along the route your packets are taking.  
> 
> If the goal were a simple denial-of-service, mere packet flooding with
> spoofed addresses would work.  The fact that the attacker is attempting
> to get a reply suggests that they are trying to guess passwords. 




More information about the Discuss mailing list