Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)

[Peter Cordes <peter@llama.nslug.ns.ca>]

On Mon, Jan 29, 2001 at 12:33:03PM +0000, thomas lakofski wrote:
> On Wed, 24 Jan 2001, Mark Suter wrote:
> 
> > The only way under IPv4 be safe from spoofing is for everyone to
> > implement proper Network Ingress Filtering [RFC2827, BCP0038] on
> > their networks.  Please, read this RFC.
> >
> >     http://www.faqs.org/rfc/rfc2827.txt
> 
> bah.  all this talk about portsentry being dangerous forgets that you can also
> run it so it only triggers after a full TCP connect.  while not un-spoofable,
> it's very hard for an attacker to spoof as they have to be in-line between your
> host and the host they're trying to spoof.  plus, they'll have a task guessing
> sequence numbers.

 Not true.  To spoof a TCP connection, you need to guess the initial
sequence number, and you need to stop RST packets from the spoofed host from
reaching the host under attack, or else the host under attack will reset the
TCP connection.  If you are in-line with the host under attack, you can see
the return traffic, and then you don't need to guess at the sequence number
even.  You will be able to block the return traffic from ever reaching the
spoofed host.  However, another way to accomplish the blocking is to DoS the
spoofed host.

 I don't remember where I read this, either in an RFC, or in the book
"Practical Unix and Internet Security".

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE