Re: IP spoofing -- assessment
anthony baxter (anthony.baxter@aaii.oz.au)
Wed, 25 Jan 1995 18:10:31 +1100
Paul Ferguson wrote:
> I would very much like to hear opinions on this list, in particular,
> on the intrusion detection analysis track with regards to most
> recent 'IP Spoofing' and 'Hijacked' tcp connection thread.
I agree - especially the hijacking of connections at the other end -
I cant see a way to detect this happening, other than through user
education (only come from machines that we trust - if you see wierd
commands, or your connection locks up, something could be going on, &c.)
People here are going to be coming from strange machines that I dont
control and that I cant trust to stay cracker-free, so I'm at a bit of
a loss here...
Assuming the IP spoofing wont be successful first time, every time, you
can detect attempts to spoof the sequence number (I sent a post to firewalls
not long ago with a theory on when to do this) and then maybe act against it.
I wonder - assuming you can detect this happening, is it worth trying some
sort of automatic cut-off that shuts out the offending address for a random
number of minutes? In any case, seeing these packets come in at least warns
you that you are under attack.
> I would like to enlist the opinions, tacts and input from the list
> members; up until now, this list has been _very_ quiet.
The sorts of attacks we are seeing more often now are the sorts that
simple filtering is not really designed to stop (eg stealing open
connections) and so more sophisticated intrusion detection would be a
good thing to see.
Anthony