[Dshield] Hiding IP's

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Mon Aug 22 04:48:20 GMT 2005


On Sun, 21 Aug 2005 20:56:06 PDT, Brian Dessent said:

> Any time two computers on the internet establish a TCP connection, each
> knows the others IP address with near 100% certainty.  It used to be
> that the random number generators used to choose initial sequence
> numbers in common TCP/IP stacks were substandard, allowing for the
> spoofing of the three-way handshake, but this has not been the case for
> a long time.  Anyone that tells you that spoofing a TCP connection is
> easy or trivial is probably lacking clue.

Actually, Michal Zalewski discovered that even after RFC1948 was written,
and most vendors had purportedly implemented some variant of it, things
were a lot worse than you might hope:

http://www.bindview.com/Services/Razor/Papers/2001/tcpseq.cfm

And a year later, things hadn't universally improved:

http://lcamtuf.coredump.cx/newtcp/

A 12% success rate against the version of Windows XP he tested certainly
seems to be well within "easy or trivial" - I admit not knowing whether SP1
or SP2 improved things....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050822/7ade5e1e/attachment.bin


More information about the list mailing list