[749] in bugtraq
Re: Router filtering not enough! (Was: Re: CERT advisory )
daemon@ATHENA.MIT.EDU (Jim Duncan)
Tue Jan 24 19:43:45 1995
To: rens@imsi.com
Cc: ddrew@mci.net, firewalls@GreatCircle.COM, bugtraq@fc.net, z056716@uprc.com
In-Reply-To: Your message of "Tue, 24 Jan 1995 11:17:48 EST."
<9501241617.AA07921@lorax.imsi.com>
Date: Tue, 24 Jan 1995 18:01:33 -0500
From: Jim Duncan <jim@math.psu.edu>
Rens Troost writes:
> This does not require spoofing or
> rource-routing, although the current attackers seem to be using
> spoofing and source routing, count on them to start using more
> pernicious methods soon.
The current attack does _not_ use source routing; the acknowledgements are
never seen by the attackers. It wasn't mentioned in your recent letter, but
they are _not_ hijacking an existing connection, either. Almost everybody
I've talked to has assumed that source routing is used and an existing
connection must be hijacked. Neither is correct in this attack. I made
this assumption too, and "got corrected". :-)
Dunno why the assumptions are so prevalent, but I assume we all read them
in to some paper on the subject. In this case, the attackers start a new
connection, and other than the initial probe, complete the attack entirely
in the blind.
> As has been pointed out, only network or
> transport-level encryption will entirely block these attacks.
That's correct. That and teach people the difference between identification
and authentication.
Jim
