Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] Somebody has tried to break in. What to do with him?
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Fri, 4 Jan 2002 22:57:46 +0100
  • Message-id: <20020104225746.A16435@xxxxxxxxx>
Hi *!

At first, I think the subject is wrong. I don't think that
somebody really tried to break in; I would guess some scanner
tool, and I cannot imagine that the http://../../etc/shadow
attack has large chances for success...

* Kurt Seifried wrote on Fri, Jan 04, 2002 at 14:20 -0700:
> this is why shitty tcp-ip stacks (with guessable sequences/etc) are a
> problem.

This cannot be easily used, i.e. not by script kiddies, since you
need to sniff the answer packets (at least in scans; in exploit
not neccesarily if you guess the seqs). Those answer packets get
routed to the faked IP and so you'd need control over a router in
between...

> Plus let's say I have two boxes, I spoof connection from A (make it
> appear from B),

Well, then you have either to guess seq no, which is in case of
linux not trivial or to sniff the answer packets. Usually you
have to do something to prevent B from sendet RST. So it's not
that easy...

> if someone complains about B I go "I didn't do it, here, I
> can proove it, my isp now monitors that stuff outgoing!". Or let's say you
> have access to a bunch of computers on a hub network (sound familiar?) I can
> just spoof one of the other IP's, or using dsniff hijack arp/ip's/etc.

Well, in the same subnet it's not a problem. Maybe you can fake
a switch with ARP fakes, but it's more hard to spoof a router. In
contrast to UDP (which is happily used by windows :-) SCNR) it's
not trivial to spoof it.

> TCP-IP doesn't even think about security.

Well, it's a networking protocol :)

[...full quote cut...]

Have a nice weekend, dear list.

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >