Joachim Schipper wrote: > > See pf.conf(5) about max-src-conn, and compare it with > > max-src-states. > > That's true. Sorry, should have RTFMP. > > Regardless, while this makes the attack more difficult, the added > difficulty doesn't amount to much. Hubs will allow sniffing easily, > and switches can usually be degraded to hubs.
Perhaps I missed something in this thread, but what are you talking about? This is why you run SSH and not telnet--so that traffic sniffing doesn't reveal the contents of the packets. Also, quality manageable switches can (and should) be configured so that overloading their MAC table is pretty much impossible. > Methinks a combination of sniffing the return traffic (SYN/ACK) and > forging the response is enough (this is assuming the spoofed host does > not return a RST for nonsense SYN/ACKs - I'm fairly certain that > there's a way around that too, most likely just racing the gateway, > but that would complicate matters unnecessarily). Again I'm not certain what you are getting at here. Perhaps it's too early and I'm missing something, but this is another reason why one would run OpenBSD as the TCP stack does a lot of bounds checking and randomization which makes these attacks more difficult. In addition to this, SSH performs cryptographic session integrity. As for the gateway, it really has little to do with an SSH session between two hosts. > I'm thinking of a couple of hosts, attached to a hub (or 'hubbable' > switch). > > If this attack really doesn't work, well, I'll be happy to learn > something new and/or Read Some More FMP... but in the meanwhile, I can > live with the log entries. > > (Of course, the real Braindead Error above was me seemingly thinking > that dropping the default gateway would help. Instead, drop some > other, more interesting host.)
