[unisog] IPS

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Feb 9 19:25:03 GMT 2005


On Thu, 10 Feb 2005 08:01:04 +1300, Russell Fulton said:

> If it keeps enough state to know that it has seen a full TCP session
> with malicious content it is probably safe to block the IP although I
> would prefer it to just drop the malicious content and perhaps reset the
> session.

Note that spoofing an IP address for a TCP connection *should* be
quite difficult if the server properly implements RFC1948:

1948 Defending Against Sequence Number Attacks. S. Bellovin. May 1996.
     (Format: TXT=13074 bytes) (Status: INFORMATIONAL)
http://www.ietf.org/rfc/rfc1948.txt

However, many vendors don't seem to get this as right as you'd expect,
as Michael Zalewski discovered:

http://alon.wox.org/tcpseq.html

And a year later, things hadn't universally improved:

http://lcamtuf.coredump.cx/newtcp/

Remember - if there's even *one* box on your net that Zalewski's method will
work on, an attacker can leverage that to block *any* address they want....

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050209/bfe6c0cc/attachment-0002.bin


More information about the unisog mailing list