[Dshield] Here's a good idea

Miles Stevenson miles at mstevenson.org
Tue Apr 13 15:07:35 GMT 2004

Hash: SHA1

> I want to cringe when people casually throw out the line that "spoofing
> IP addresses is trivial."  (Not counting stateless protocols like UDP,
> etc.)

I agree. At least to the point that spoofing an address and using it to 
establish a TCP session is difficult. I wasn't thinking along the lines of 
session establishment though. You should be able to get a full HTTP URL 
request for cmd.exe into the first initial SYN packet, thus making sequence 
number guessing unnecessary. I have not tested that though. Does anyone know 
if it works? 

Or maybe the modern OS  is smart enough to realize that there should not be 
any layer 7 data in the initial SYN and reject/ignore the packet. That would 
be an interesting test for a rainy day....

Of course, I am also making the assumption that cmdblock would add the source 
address to the blocklist after only seeing the initial SYN. I realize it 
would probably be best to test such a theory before posting it, but I tried 
to convey that I was just giving a word of warning; not proof of an 
exploitable vulnerability. My apologies if that was misunderstood. 

- -- 
Miles Stevenson
miles at mstevenson.org
PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63
Version: GnuPG v1.2.3 (GNU/Linux)


More information about the list mailing list