[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: Security : Port scanning



Spoofing an adress for port scanning isn't likely to be of much
use as you can't see the results coming back or am I missing something?




Here's one use (someone else's explanation):

First, the target host
is choosen.  Next, a pattern of trust is discovered, along with a
trusted host.  The trusted host is then disabled, and the target's TCP
sequence numbers are sampled.  The trusted host is impersonated, the
sequence numbers guessed, and a connection attempt is made to a
service that only requires address-based authentication.  If
successful, the attacker executes a simple command to leave a
backdoor.

Preventative measures (same source):

       --[ Be Un-trusting and Un-trustworthy ]--


        One easy solution to prevent this attack is not to rely
on address-based authentication.  Disable all the r* commands,
remove all .rhosts files and empty out the /etc/hosts.equiv file.
This will force all users to use other means of remote access
(telnet, ssh, skey, etc).


        --[ Packet Filtering ]--


        If your site has a direct connect to the Internet, you
can use your router to help you out.  First make sure only hosts
on your internal LAN can particpate in trust-relationships (no
internal host should trust a host outside the LAN).  Then simply
filter out *all* traffic from the outside (the Internet) that
puports to come from the inside (the LAN).


       --[ Cryptographic Methods ]--


        An obvious method to deter IP-spoofing is to require
all network traffic to be encrypted and/or authenticated.  While
several solutions exist, it will be a while before such measures are
deployed as defacto standards.


        --[ Initial Sequence Number Randomizing ]--


        Since the sequence numbers are not choosen randomly (or
incremented randomly) this attack works.  Bellovin describes a
fix for TCP that involves partitioning the sequence number space.
Each connection would have it's own seperate sequence number space.
The sequence numbers would still be incremented as before, however,
there would be no obvious or implied relationship between the
numbering in these spaces.  Suggested is the following formula:

        ISN=M+F(localhost,localport,remotehost,remoteport)

Where M is the 4 microsecond timer and F is a cryptographic hash.
F must not be computable from the outside or the attacker could
still guess sequence numbers.  Bellovin suggests F be a hash of
the connection-id and a secret vector (a random number, or a host
related secret combined with the machine's boot time).


Jonathan


___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

 GNU the choice of a complete generation.