Paul Ferguson wrote: > I would very much like to hear opinions on this list, in particular, > on the intrusion detection analysis track with regards to most > recent 'IP Spoofing' and 'Hijacked' tcp connection thread. I agree - especially the hijacking of connections at the other end - I cant see a way to detect this happening, other than through user education (only come from machines that we trust - if you see wierd commands, or your connection locks up, something could be going on, &c.) People here are going to be coming from strange machines that I dont control and that I cant trust to stay cracker-free, so I'm at a bit of a loss here... Assuming the IP spoofing wont be successful first time, every time, you can detect attempts to spoof the sequence number (I sent a post to firewalls not long ago with a theory on when to do this) and then maybe act against it. I wonder - assuming you can detect this happening, is it worth trying some sort of automatic cut-off that shuts out the offending address for a random number of minutes? In any case, seeing these packets come in at least warns you that you are under attack. > I would like to enlist the opinions, tacts and input from the list > members; up until now, this list has been _very_ quiet. The sorts of attacks we are seeing more often now are the sorts that simple filtering is not really designed to stop (eg stealing open connections) and so more sophisticated intrusion detection would be a good thing to see. Anthony