[1907] in linux-security and linux-alert archive
[linux-security] Re: masquerading
daemon@ATHENA.MIT.EDU (Michael Cunningham)
Fri Jun 19 07:10:47 1998
From: "Michael Cunningham" <malice@exit109.com>
To: "Ed Padin" <epadin@wagweb.com>, <linux-security@redhat.com>
Date: Fri, 19 Jun 1998 01:46:02 -0400
In-Reply-To: <ED29C0E690D4D1118B3E00104B1F46923E66@ntbox.wagweb.com>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
>I don't know how this holds up against address spoofing but I don't
>think spoofing is very useful without source-routing (which should
>always be turned off in your kernel config!)**
>** Only 95% sure of this statement so please correct me if need be. My
>take is that source spoofing can only be used for break-in attacks when
>coupled with source-routing. Source routing is the only way to get
>spoofed packets back to the "real" source of the spoofed packets.
>Spoofing is still usable and difficult to trace for DoS attacks.
Actually as far as I am aware you do not need source-routing to sucessfully
complete a spoofing attack. It of course is more difficult without
source routing since you are blindly transmitting packets without seeing
responses, but if you know what kind of input the good guy is going to
expect and you know what kind of output the good guy is going to transmit
you can sucessfully complete something such as a trust relationship
explotation attack. Say machine A and B have a rlogin trust relationship
allowing anyone from A to log into B and vice versa without a password.
If you are on C and spoof A's address while D.O.S.'ing A you can make a
blind connection to B and transmit the correct packets to open the
rlogin connection. This would then allow you to log into B as a user from
A and open up a hole for yourself in the future by creating a .rhosts in
the users home directory with a host that you have control over outside
of their network. This attack is almost impossible through on a correctly
configured UP TO DATE linux box since most DOS attacks that are known are
fully patched in Linux. Although..who knows what will be figured out in
an hour from now:( Because he would be using SSH, I would think a
spoofing attack would be almost impossible, although with the recent holes
found in ssh I can't say that it is totally impossible.
See Phrack Magazine issue 48 for a more detailed descussion of IP-spoofing.
http://www.phrack.com
Mike Cunningham
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null