Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
AW: [suse-security] Somebody has tried to break in. What to do with him?
  • From: "OKDesign oHG Security Administrator" <security@xxxxxxxxxxx>
  • Date: Fri, 4 Jan 2002 23:26:01 +0100
  • Message-id: <>

just my 2 cents:
Have you ever heard of Proxies ? Maybe Socks-Proxies ? There are lots of
proxies out in the net which DO NOT protocol accesses or usage at all.
So if someone is using such a proxy the under normal circumstances it would
mean a lot of work to trace it back to him.
When using a proxy you don't have to worry about sniffing packages because
they come right back to you.
Or should I be wrong ?


-----Ursprüngliche Nachricht-----
Von: Steffen Dettmer [mailto:steffen@xxxxxxx]
Gesendet: Freitag, 4. Januar 2002 22:58
An: suse-security@xxxxxxx
Betreff: Re: [suse-security] Somebody has tried to break in. What to do
with him?

Hi *!

At first, I think the subject is wrong. I don't think that
somebody really tried to break in; I would guess some scanner
tool, and I cannot imagine that the http://../../etc/shadow
attack has large chances for success...

* Kurt Seifried wrote on Fri, Jan 04, 2002 at 14:20 -0700:
> this is why shitty tcp-ip stacks (with guessable sequences/etc) are a
> problem.

This cannot be easily used, i.e. not by script kiddies, since you
need to sniff the answer packets (at least in scans; in exploit
not neccesarily if you guess the seqs). Those answer packets get
routed to the faked IP and so you'd need control over a router in

> Plus let's say I have two boxes, I spoof connection from A (make it
> appear from B),

Well, then you have either to guess seq no, which is in case of
linux not trivial or to sniff the answer packets. Usually you
have to do something to prevent B from sendet RST. So it's not
that easy...

> if someone complains about B I go "I didn't do it, here, I
> can proove it, my isp now monitors that stuff outgoing!". Or let's say you
> have access to a bunch of computers on a hub network (sound familiar?) I
> just spoof one of the other IP's, or using dsniff hijack arp/ip's/etc.

Well, in the same subnet it's not a problem. Maybe you can fake
a switch with ARP fakes, but it's more hard to spoof a router. In
contrast to UDP (which is happily used by windows :-) SCNR) it's
not trivial to spoof it.

> TCP-IP doesn't even think about security.

Well, it's a networking protocol :)

[...full quote cut...]

Have a nice weekend, dear list.



Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx

< Previous Next >