On Fri, 26 Oct 2007 00:43:10 +0400, 3APA3A said:
Valdis, you should back to Cretaceous period, because Oliver talks
about man-in-the-middle attack, not about blind TCP spoofing.
Randomized ISN doesn't protect against MitM.
Doing a MitM is basically just spoofing two connections at the same time. If
you know how to do one, you know how to do two. And if you know how to do one
of them *blind*, it vastly increases your options (as you only need to be able
to see the traffic in one direction rather than both). Also, knowing your
history gives you a leg up - I'm quite sure that very few of the skript kiddies
who now think a SYN-flood is just a useful DDoS attack realize that the
*original* use was to spam a machine into a state where it couldn't send an RST
packet to your victim box when it saw the replies to the forged packets you
were blind-spoofing.
Now - what *other* ways can you leverage the idea that you can make an RST
packet "Not Happen"? Remember - if you're the attacker, you *want* to be
exploiting odd corner cases of the protocol, and it's perfectly fair to abuse
a trick that nobody bothers defending against anymore because they've forgotten
it....
Of course, these days it's probably easier to play some DNS spoofing games so
that the victim connects to your server and you then proxy to wherever it was
really intended to go. Or just create a phish.
pgpbckIW0gScm.pgp
Description: PGP signature
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
