"Spruell, Darren-Perot" <[EMAIL PROTECTED]> writes: > From: Wolfgang S. Rupprecht >> 2) Forging the source IP in a TCP packet and succeeding in negotiating >> the 3-way handshake isn't all that simple any more. I wouldn't >> worry about it. If someone could forge that reliably, there is >> much better game to go after (like breaking into machines that >> still use IP addresses for authorization.) Someone spoofing an IP >> so that you mistakenly block an innocent party is pretty much >> wasting a good trick. > > Is it possible at all? You spoof your address to appear as my ISP for the > source address of a TCP connection. You send a SYN packet seeming to appear > from the ISP. I send SYN+ACK back to that ISP address. ISP drops it because > that address never sent SYN in first place. You never get anything back, > neither do I, and no TCP handshake occurs. > > Or does this involve a much more sophisticated attack than I'm imagining?
Spoofing the tcp connection is possible if you can guess what was in the packet that the other side sent back in response to the first spoofed syn. Obviously you'll never see the packet, but the only thing that you need to know that isn't obvious is the initial sequence number. Back in the early days of BSD the initial tcp-sequence number wasn't all that hard to guess. Predicting it was relatively easy if the other side was a BSD system that didn't have too many tcp connections per second. After each tcp connections the kernel incremented the initial sequence number by some small, fixed amount. Connecting up to any tcp port would tell you what the kernel was currently using. Connecting a few times in a row would tell you how much it incremented the initial number by for each connection. It also gave on a rough idea how many connections per second the kernel was seeing. -wolfgang
