RE: IP Session Hijacking And Spoofing

Hi Todd,

"I also failed to understand how the traffic gets back to you if you are telling it to respond to another host. Can someone shine some light on this for me?" - LEHMANN, TODD

I'm FAR from an expert on this but from what I remember reading about this issue is that the traffic does not get back to you, but goes to the IP address that was spoofed. In case you are wondering what the point would be then of spoofing if the traffic doesnt come back to you is this technique could still be used for DoS attacks while hiding the originating machine that sent them. IE my machine at 127.0.0.5 sends a DoS attack to your machine at 127.0.0.8, but tells your machine it came from 127.0.0.3. You check your logs and sick the dogs on the owner of 127.0.0.3 thinking he was DoS'ing you. (127 addresses used for example only, I know 127's are loopback)

Again this if from what I remember reading about this issue so don't quote me on this. If anybody who is more familiar on this topic and can confirm/deny what I said would be appreciative.

Regards,

Russell

The views and/or expressions in this email are my own personal statements and do not represent any endorsement and/or statement from the US Navy.

attached mail follows:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I have read some documentation on IP Spoofing, and from what I have read, it sounds like you must determine the sequence number of the host before you can spoof. However, I don't understand why you would have to determine the sequence if you are creating a new session with the host under a false IP. Wouldn't the creation of the new TCP session negotiate the sequence number at that time?

I also failed to understand how the traffic gets back to you if you are telling it to respond to another host. Can someone shine some light on this for me?

When it comes to session high-jacking, how does one go about determining the sequence number on a host that uses a random number seed to create the sequence? Is it some form of complex algorithms or is it just impossible unless you create the session?

Todd Lehmann
Systems Analyst I
VPN Subject Matter Expert Received on Tue Nov 26 01:59:05 2002