AAAAAAAAACCCCCCCCCCCCHHHHHHHHHHHHHHHHHHHHKKKKKKKKKKKKKKKKKK And I was just about to have breakfast. John Tolmachoff Engineer/Consultant/Owner eServices For You > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Monday, September 27, 2004 8:26 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Fw: [sbs list] OT: Description Active IP Spoof attack and Blind IP > Spoof attack > > http://www.ISAserver.org > > Exactly. Pretty tricky those SBS list guys. Caught me with my pants down > :-\ > > Tom > www.isaserver.org/shinder > Get the book! > Tom and Deb Shinder's Configuring ISA Server 2004 > http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Monday, September 27, 2004 9:55 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Fw: [sbs list] OT: Description Active IP Spoof > attack and Blind IP Spoof attack > > > http://www.ISAserver.org > > Hi Troy, > > Actually, it's even worse than that. > In the Yahoo SBS list, the "friendly name" in the "to" field is the > person, while the actual "to" address is the list; unlike in the > ISA listserver... > If not for that, Tom an I would have been able to see that the "to" > needed changing... > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > > ----- Original Message ----- > From: "Troy Radtke" <TRadtke@xxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Monday, September 27, 2004 06:36 > Subject: [isalist] RE: Fw: [sbs list] OT: Description Active IP Spoof > attack and Blind IP Spoof attack > > > http://www.ISAserver.org > > Yeah, big difference in "reply-to" and reply-to all" buttons.... One > should > be big and green, the other small and red with big skull and crossbones > next > to it..... Been there, done that, it sucks..... > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Monday, September 27, 2004 8:30 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Fw: [sbs list] OT: Description Active IP Spoof > attack > and Blind IP Spoof attack > > > http://www.ISAserver.org > > Apparently, you didn't get the mail that Tome and I thought was private, > but > actually went to the list. > Lesson: make sure you KNOW whre the mail is headed... > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > > > On Mon, 27 Sep 2004 08:23:49 -0400 > "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > http://www.ISAserver.org > > You guys are very patient. I'd probably just ignore him, but then that > would feed his ego. I finally started getting mail from that group this > weekend. What a mess. Keep up the good work. > > Amy > > > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Sunday, September 26, 2004 4:54 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Fw: [sbs list] OT: Description Active IP Spoof > attack and Blind IP Spoof attack > > http://www.ISAserver.org > > I knew when he said that he had the last word that the last word really > wouldn't happen in our lifetime :-) > > Tom > www.isaserver.org/shinder > Get the book! > Tom and Deb Shinder's Configuring ISA Server 2004 > http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Sunday, September 26, 2004 4:51 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Fw: [sbs list] OT: Description Active IP Spoof attack > and Blind IP Spoof attack > > > http://www.ISAserver.org > > <sigh> > We thought we'd won, but the little yappy dog just won't give up... > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > > ----- Original Message ----- > From: "Jim Harrison" <jim@xxxxxxxxxxxx> > To: <sbs2k@xxxxxxxxxxxxxxx> > Sent: Sunday, September 26, 2004 14:48 > Subject: Re: [sbs list] OT: Description Active IP Spoof attack and Blind > IP Spoof attack > > > My God; you're like a Chihuahua with a stinky fish. > > The ISN "vulnerability" that you lay so much stock in > IS > LONG > SINCE > FIXED > IN > WINDOWS!! > Compromise all the Cisco devices you want; Win2K and later won't play. > TCP Sequence Numbering was never intended to provide any security > mechanism; it's nothing more than a way for the TCP/IP stack to > reassemble packets that may arrive out of sequence and respond "in > context" to any packet received. ..hence, the term "Sequence > Number". > Again, a 3-second Google search reveals a much better (read: accurate) > description of the three-way handshake: > http://www.freesoft.org/CIE/Course/Section4/9.htm > ..you'll notice (assuming you even scan the above article) that at no > time is any form of SN used to provide any form of "security". > > In order for the attacker to receive packets destined for an IP not > owned by the attacker machine, > IT > MUST > OWN > ALL > INTERMEDIATE > ROUTERS > This is the one place where you almost reach a sense of accuracy; it's > the sheer scale of the required actions that make this > "issue" far less of a potential, much less real problem than you clearly > believe it to be. > > Your description of "stateful" is conveniently limited enough to make > your ramblings sound almost plausible, but as is the case with > all of your ramblings, it falls far short of a logical determination. > You logic can be best summed up as "I think (I think)". > As I and many others have responded to you in numerous private and > public threads (which always seem to "end" and resurface as > different threads in new forums, etc.), until you can provide proof of > concept according to accepted standards, you merely generate > noise and confusion (see Simon Weaver's response to your "final > posting"). > > Since you are clearly unable to produce more than regurgitated, > unfounded claims, I have no choice but to ask you to please step > away from the keyboard. > > Here's one the last reference for you to study (there will be a quiz > later, so give it a really good looking over): > http://www.hosstyle.com/cupof.htm > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > > ----- Original Message ----- > From: "Tony Su" <tonysu@xxxxxxxxxxxxxxxxx> > To: <sbs2k@xxxxxxxxxxxxxxx> > Sent: Sunday, September 26, 2004 13:42 > Subject: [sbs list] OT: Description Active IP Spoof attack and Blind IP > Spoof attack > > > For those who are curious about what a Blind IP Spoof attack is and what > an Active IP Spoof attack so you'd know how to recognize if > something like these are happening... > > Here are some thumbnails I'll try to make as non-technical as possible. > > First, in both cases a base undererstanding of the "Three way handshake" > is required which is required in all TCP/IP connections. > More extensive descriptions with the actual command can be found but > this is a very brief description > > Client machine makes initial connection to Server, inludes a number it > will use for the ISN which is based on a complicated > algorithm. All other packets returned during this session will be > incremented by one starting from the ISN, and this is the > "security." If any packet arrives at the Server with the wrong number, > it will be discarded. > > Server returns a packet acknowledging receipt of the "secret" Client > ISN, and sends its own ISN to the Client which the Client will > use for evaluating security exactly as on the Server. This includes the > Client's ISN incremented by one to "prove" identity. > > Client sends a packet back to the Server acknowledging receipt of the > Server's ISN and is ready to commence the data exchange > portion of the session. > > Active IP Spoofing > After a valid session by a real client is in progress with a Server, a > compromised router "in the middle" can capture, monitor and > maybe even store the traffic. > > At some point the Attacker on this compromised router can feel he has > accumulated sufficient information about the session to create > a DoS against one of the two machines (I'll say the Client in this > example) to take it offline and step in impersonating the offline > machine. In this case, the victim (The Server) believes it's still > communicating with the offline machine because the sequence > numbers are still consecutive and the data from the Attacker is > consistent with the overall "conversation." > > This is an "Active" IP Spoof because the Attacker is actively carrying > on the conversation with the victim. > > This attack is not too difficult to execute but requires compromising an > intermediate router. Also, I do not know of any way that > this attack can be carried out against a Loopback address unless the > Victim is also compromised (ie. redirecting the loopback > address) > > Blind IP Spoofing > In this case, the Attacker does not require compromising an intermediate > router, but relies instead on guessing the ISN. The ISN > does not have to be guessed exactly with a single guess, the Cisco > vulnerability earlier this year demonstrated that it's only > necessary to accurately guess a number of likely candidate numbers, that > number of candidate numbers probably varies according to > what kinds of defenses the Victim might employ recognizing an unusual > number of improper ISNs (usually no defense) and available > bandwidth. Also, according to my analysis any ISA or Windows event might > actually be the result of tens, or hundreds of dropped > packets, not a single packet you might expect. Only a NetMon trace is > likely going to provide enough detail if wished. > > Although Blind IP Spoofing is thought to be very difficult, there are > numerous recountings how an attacker can probe to discover the > likely "next" ISN, ie. make an initial valid connection and maybe even a > series of connections to attempt to discover a pattern. If > the Attacker can be assured of constructing the next session, then the > ISN algorithm's strength is all important making it difficult > to guess because the Attacker <knows> that the next number will be based > on the last number of the previous session. > > I suspect though that it's more likely that when discussing a possible > SMTP Blind Spoof attack for the purpose of massive spamming, > the attack makes most sense being made against broad subnet address > ranges so that a "try" is being made against any number of > machines simultaneously. I have not analyzed this last method too much > but feel it's logical and therefor likely... and is > consistent with spamming attacks because spammers are indiscriminate > looking for vulnerable machines. > > So, in a Blind IP Spoof attack, the Attacker needs to guess the victim's > IsN and there are a number of ways to improve the > probability of success. The other thing to note is that an ISN's degree > of vulnerability is entirely based on mathematics, there is > no such thing as impossible, only the degree of difficulty and when > Microsoft last modified the ISN algorithm it injected a TimeDate > stamp parameter which I believe has shortcomings because it's a publicly > available parameter. IMO it would have been better and > maybe the next modification will have a private, machine-specific > parameter which also might be re-cycled/re-calculated periodically > so that like Passwords an Attacker can't assume that <every> Windows > machine will calculate the ISN exactly the same way or be the > same long enough to discover what the proper calculation is. > > Note that although the ISN is guessed, in a Blind Spoof Attack, the > victim's responses never are actually passed to the Attacker > because the Attacker hasn't "acquired" the spoofed address which would > enable the packets to be routed to him. In the case of > 127.0.0.1, this is why Active Spoofing can't be a possibility but Blind > IP Spoofing is. All outbouund packets from the victim are > routed into a black hole and disappear. > > So, let's take a look at what happens. > Attacker constructs a three way handshake with the Victim without any > return packets, ie. > Attacker initiates session sending its IsN > Victim responds acknowledging receipt of Attacker's ISN and sends its > own ISN > Attacker never receives Victim's ISN but has guessed the Server's ISN, > so sends the next packet with the guessed sequence number. > Victim accepts the packet because it has the correct sequence number and > sends a response with the next sequence number. > Attacker continues sending packets with guessed sequence numbers without > receiving any in return anticipating at every step of the > way the response of the victim. > > Hence, the "Blind" part of this method... The Attacker is completely > blind but can anticipate and predict completely the responses > of the Victim. and in the case of SMTP, the "conversation" is completely > predictable because in an anonymous exchange of commands > the destination server does little more than say, "I got it, next." > > My last comment regarding "Stateful Inspection" is that whether this > will be effective combating any kind of IP Spoofing (and other > situations) will depend on how it's implemented, but AFAIK a minimal > approach based on the IPv4 specification does not provide > sufficient basis to detect what I've described here. When a Blind IP > Spoof victim sends packets to 127.0.0.1(for example which would > be an obvious spoof if it actually originate on the machine), it will > consider the session complying with "statefulness" until the > packet is considered dropped and as long as packets do not carry some > unique parameter (ie. IPSec). And, since the next response is > received as expected from the same spoofed IP address, the previous > packet is considered delivered and statefulness is maintained. > > Tony Su > > > > > > > > > > > As well you can find more info at http://groups.yahoo.com/group/sbs2k > Yahoo! Groups Links > > > > > > > > > ------------------------ Yahoo! Groups Sponsor --------------------~--> > $9.95 domain names from Yahoo!. Register anything. > http://us.click.yahoo.com/J8kdrA/y20IAA/yQLSAA/dpFolB/TM > --------------------------------------------------------------------~-> > > As well you can find more info at http://groups.yahoo.com/group/sbs2k > Yahoo! Groups Links > > <*> To visit your group on the web, go to: > http://groups.yahoo.com/group/sbs2k/ > > <*> To unsubscribe from this group, send an email to: > sbs2k-unsubscribe@xxxxxxxxxxxxxxx > > <*> Your use of Yahoo! Groups is subject to: > http://docs.yahoo.com/info/terms/ > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tradtke@xxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > johnlist@xxxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx