[NTLUG:Discuss] Re: How does 'ip address spoofing work'?

[Jerry Haltom]

Never say never. There are some extremely complex TCP sequence id
predictors out there. Basically, the spoofing computer only has to
"guess" at the response, and keep sending packets, with a little delay
between them. For a recent linux kernel, we are talking majorly hard
though.

On Sun, 2003-07-06 at 23:28, Vaidya, Harshal (Cognizant) wrote:
> Now that you are attacked the only thing coming to my mind is to suggest
> you to change the passwords regularly to beat all their attempts to
> guess the passwords.
> 
> If possible, you can deny all these 180 public proxy IP addresses to
> your server.
> 
> .. Just a thought.
> 
> Thanks and Regards,
> Harshal.
> 
> -----Original Message-----
> From: David [mailto:david at hayes-family.org] 
> Sent: Sunday, July 06, 2003 7:45 AM
> To: NTLUG Discussion List
> Subject: Re: [NTLUG:Discuss] Re: How does 'ip address spoofing work'?
> 
> 
> On Sat, Jul 05, 2003 at 01:00:41PM -0500, Jack Snodgrass wrote:
> > something I hadn't thought of.... I checked several of
> > the IP Addresses on Goggle. These IP Addresses are
> > public proxy servers. So... the hacker just sends his
> > request through the proxy server and hides his tracks
> > even more. 
> 
> Your probably more on target here.  Your log records are showing URLs
> requested.  That can't happen until the third packet of a TCP session --
> SYN; SYN-ACK; then first data packet.  For you to see URLs in your log
> files, you know that there must have been a bidirectional exchange of
> packets.  That's exceedingly difficult to do while spoofing the source
> address.  In fact, it can't be done, unless the system doing the
> spoofing is somewhere along the route your packets are taking.  
> 
> If the goal were a simple denial-of-service, mere packet flooding with
> spoofed addresses would work.  The fact that the attacker is attempting
> to get a reply suggests that they are trying to guess passwords.