[Dshield] Here's a good idea

Brian Dessent brian at dessent.net
Tue Apr 13 12:44:39 GMT 2004


Miles Stevenson wrote:
> 
> On Thursday 01 April 2004 05:05 pm, David Cary Hart wrote:
> > Just noticed this on Freshmeat
> >
> > cmdblock: A tool that scans Apache logs and adds IIS exploiters to an
> > iptable ruleset.
> 
> You definitely want to be careful using "auto-blockers" like this. It's very
> easy to spoof someones IP and have that person added to the blocklist. If

Maybe it was easy at some point in time, but unless we're talking about
Windows 98 here the algorithm used in most stacks to choose the initial
sequence number needed for the three way handshake makes this quite
hard.  Reference: http://lcamtuf.coredump.cx/newtcp/

I want to cringe when people casually throw out the line that "spoofing
IP addresses is trivial."  (Not counting stateless protocols like UDP,
etc.)

Brian



More information about the list mailing list