Hi, just my 2 cents: Have you ever heard of Proxies ? Maybe Socks-Proxies ? There are lots of proxies out in the net which DO NOT protocol accesses or usage at all. So if someone is using such a proxy the under normal circumstances it would mean a lot of work to trace it back to him. When using a proxy you don't have to worry about sniffing packages because they come right back to you. Or should I be wrong ? Stephan -----Ursprüngliche Nachricht----- Von: Steffen Dettmer [mailto:steffen@dett.de] Gesendet: Freitag, 4. Januar 2002 22:58 An: suse-security@suse.de Betreff: Re: [suse-security] Somebody has tried to break in. What to do with him? Hi *! At first, I think the subject is wrong. I don't think that somebody really tried to break in; I would guess some scanner tool, and I cannot imagine that the http://../../etc/shadow attack has large chances for success... * Kurt Seifried wrote on Fri, Jan 04, 2002 at 14:20 -0700:
this is why shitty tcp-ip stacks (with guessable sequences/etc) are a problem.
This cannot be easily used, i.e. not by script kiddies, since you need to sniff the answer packets (at least in scans; in exploit not neccesarily if you guess the seqs). Those answer packets get routed to the faked IP and so you'd need control over a router in between...
Plus let's say I have two boxes, I spoof connection from A (make it appear from B),
Well, then you have either to guess seq no, which is in case of linux not trivial or to sniff the answer packets. Usually you have to do something to prevent B from sendet RST. So it's not that easy...
if someone complains about B I go "I didn't do it, here, I can proove it, my isp now monitors that stuff outgoing!". Or let's say you have access to a bunch of computers on a hub network (sound familiar?) I can just spoof one of the other IP's, or using dsniff hijack arp/ip's/etc.
Well, in the same subnet it's not a problem. Maybe you can fake a switch with ARP fakes, but it's more hard to spoof a router. In contrast to UDP (which is happily used by windows :-) SCNR) it's not trivial to spoof it.
TCP-IP doesn't even think about security.
Well, it's a networking protocol :) [...full quote cut...] Have a nice weekend, dear list. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel. -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com