[Dshield] Hiding IP's
brian at dessent.net
Mon Aug 22 06:58:59 GMT 2005
Valdis.Kletnieks at vt.edu wrote:
> Actually, Michal Zalewski discovered that even after RFC1948 was written,
> and most vendors had purportedly implemented some variant of it, things
> were a lot worse than you might hope:
> And a year later, things hadn't universally improved:
> A 12% success rate against the version of Windows XP he tested certainly
> seems to be well within "easy or trivial" - I admit not knowing whether SP1
> or SP2 improved things....
You're right of course, and I did read both of those papers when they
were released. I do know that MS issued a patch that backported their
win2k ISN generator to NT 4.0, and then wiped their hands and called it
a day. According to their literature win2k and beyond do not suffer
from any ISN vulnerabilities so I suppose MS doesn't feel it's worth
improving. I guess I must have glossed over the conclusion in the "one
year later" followup that it was still not sufficient.
I skipped the statistical details of the Zalewski papers so I don't know
what the 12% actually means precisely in real terms. I'm not sure I
would call it trivial, because it seems like you still have to exhaust a
lot of bandwidth in order to guess correctly.
In the context of hiding ones presence on the net for general use
patterns, it still doesn't really chance the picture since
- the spoofer gets a unidirectional write-only connection since he does
not receive any response packets.
- linux and the bsds still have the majority of the server OS market,
and their IP stacks implemented 1948.
More information about the list