Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] Somebody has tried to break in. What to do with him?
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Fri, 4 Jan 2002 23:57:56 +0100
  • Message-id: <20020104235756.A16908@xxxxxxxxx>
* Kurt Seifried wrote on Fri, Jan 04, 2002 at 15:35 -0700:
> >This cannot be easily used, i.e. not by script kiddies, since you
> >need to sniff the answer packets (at least in scans; in exploit
> >not neccesarily if you guess the seqs). Those answer packets get
> >routed to the faked IP and so you'd need control over a router in
> >between...
>
> no. you simply need a single box anywhere near the path that either directly
> sees the packets,

Well, I don't think that Script "The Kid" Averadge has access to
such a box.

> or can arp poison/etc to see them.

If that's possible. It's not possible behind ISDN or DSL lines,
since they don't use ARP and I hope that most routers won't be so
silly to accept ARP "reply" packets on the "wrong" interface; by
that, you shouldn't be able ot modify it's routing decision. I
would assume that most TCP scans with connect don't do any
address spoofing; and I think that's not even neccesary, since
most ISPs won't care about such issues...

> Or an end host that will accept them (like someone's hacked
> home machine on adsl).

:) But in that case there is no address spoof taking place at
all.

> >Well, then you have either to guess seq no, which is in case of
> >linux not trivial or to sniff the answer packets. Usually you
> >have to do something to prevent B from sendet RST. So it's not
> >that easy...
>
> I control B. end of story there =).

Yep, you control, not spoof :-)

> You need to go take a look at dsniff, very user friendly.

IIRC I tried it, or some other tool, but it worked in the local
subnet only. But I'm not sure here.

> >Well, it's a networking protocol :)
>
> And that is the wrong attitude (why we are in this mess right now =).

Again I don't think so. You can use more secure protocols on IP
like IPSec or use more secure protocols no top of TCP like
SSL/TLS. Finally, applications may secure the traffic, which is
the only way to have some kind of endpoint-endpoint security. I
think after all security in general is not that bad, with some
efford you can have servers online without beeing hacked :) And
finally, we make our money with it :-).

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >