RE: Fw: [sbs list] OT: Description Active IP Spoof attack and Blind IP Spoof attack
- From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 27 Sep 2004 08:38:35 -0700
AAAAAAAAACCCCCCCCCCCCHHHHHHHHHHHHHHHHHHHHKKKKKKKKKKKKKKKKKK
And I was just about to have breakfast.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Monday, September 27, 2004 8:26 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Fw: [sbs list] OT: Description Active IP Spoof
attack and Blind IP
> Spoof attack
>
> http://www.ISAserver.org
>
> Exactly. Pretty tricky those SBS list guys. Caught me with my pants down
> :-\
>
> Tom
> www.isaserver.org/shinder
> Get the book!
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: Monday, September 27, 2004 9:55 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Fw: [sbs list] OT: Description Active IP Spoof
> attack and Blind IP Spoof attack
>
>
> http://www.ISAserver.org
>
> Hi Troy,
>
> Actually, it's even worse than that.
> In the Yahoo SBS list, the "friendly name" in the "to" field is the
> person, while the actual "to" address is the list; unlike in the
> ISA listserver...
> If not for that, Tom an I would have been able to see that the "to"
> needed changing...
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
>
> ----- Original Message -----
> From: "Troy Radtke" <TRadtke@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Monday, September 27, 2004 06:36
> Subject: [isalist] RE: Fw: [sbs list] OT: Description Active IP Spoof
> attack and Blind IP Spoof attack
>
>
> http://www.ISAserver.org
>
> Yeah, big difference in "reply-to" and reply-to all" buttons.... One
> should
> be big and green, the other small and red with big skull and crossbones
> next
> to it..... Been there, done that, it sucks.....
>
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: Monday, September 27, 2004 8:30 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Fw: [sbs list] OT: Description Active IP Spoof
> attack
> and Blind IP Spoof attack
>
>
> http://www.ISAserver.org
>
> Apparently, you didn't get the mail that Tome and I thought was private,
> but
> actually went to the list.
> Lesson: make sure you KNOW whre the mail is headed...
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
>
>
> On Mon, 27 Sep 2004 08:23:49 -0400
> "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> http://www.ISAserver.org
>
> You guys are very patient. I'd probably just ignore him, but then that
> would feed his ego. I finally started getting mail from that group this
> weekend. What a mess. Keep up the good work.
>
> Amy
>
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Sunday, September 26, 2004 4:54 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Fw: [sbs list] OT: Description Active IP Spoof
> attack and Blind IP Spoof attack
>
> http://www.ISAserver.org
>
> I knew when he said that he had the last word that the last word really
> wouldn't happen in our lifetime :-)
>
> Tom
> www.isaserver.org/shinder
> Get the book!
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: Sunday, September 26, 2004 4:51 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Fw: [sbs list] OT: Description Active IP Spoof attack
> and Blind IP Spoof attack
>
>
> http://www.ISAserver.org
>
> <sigh>
> We thought we'd won, but the little yappy dog just won't give up...
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
>
> ----- Original Message -----
> From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> To: <sbs2k@xxxxxxxxxxxxxxx>
> Sent: Sunday, September 26, 2004 14:48
> Subject: Re: [sbs list] OT: Description Active IP Spoof attack and Blind
> IP Spoof attack
>
>
> My God; you're like a Chihuahua with a stinky fish.
>
> The ISN "vulnerability" that you lay so much stock in
> IS
> LONG
> SINCE
> FIXED
> IN
> WINDOWS!!
> Compromise all the Cisco devices you want; Win2K and later won't play.
> TCP Sequence Numbering was never intended to provide any security
> mechanism; it's nothing more than a way for the TCP/IP stack to
> reassemble packets that may arrive out of sequence and respond "in
> context" to any packet received. ..hence, the term "Sequence
> Number".
> Again, a 3-second Google search reveals a much better (read: accurate)
> description of the three-way handshake:
> http://www.freesoft.org/CIE/Course/Section4/9.htm
> ..you'll notice (assuming you even scan the above article) that at no
> time is any form of SN used to provide any form of "security".
>
> In order for the attacker to receive packets destined for an IP not
> owned by the attacker machine,
> IT
> MUST
> OWN
> ALL
> INTERMEDIATE
> ROUTERS
> This is the one place where you almost reach a sense of accuracy; it's
> the sheer scale of the required actions that make this
> "issue" far less of a potential, much less real problem than you clearly
> believe it to be.
>
> Your description of "stateful" is conveniently limited enough to make
> your ramblings sound almost plausible, but as is the case with
> all of your ramblings, it falls far short of a logical determination.
> You logic can be best summed up as "I think (I think)".
> As I and many others have responded to you in numerous private and
> public threads (which always seem to "end" and resurface as
> different threads in new forums, etc.), until you can provide proof of
> concept according to accepted standards, you merely generate
> noise and confusion (see Simon Weaver's response to your "final
> posting").
>
> Since you are clearly unable to produce more than regurgitated,
> unfounded claims, I have no choice but to ask you to please step
> away from the keyboard.
>
> Here's one the last reference for you to study (there will be a quiz
> later, so give it a really good looking over):
> http://www.hosstyle.com/cupof.htm
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
>
> ----- Original Message -----
> From: "Tony Su" <tonysu@xxxxxxxxxxxxxxxxx>
> To: <sbs2k@xxxxxxxxxxxxxxx>
> Sent: Sunday, September 26, 2004 13:42
> Subject: [sbs list] OT: Description Active IP Spoof attack and Blind IP
> Spoof attack
>
>
> For those who are curious about what a Blind IP Spoof attack is and what
> an Active IP Spoof attack so you'd know how to recognize if
> something like these are happening...
>
> Here are some thumbnails I'll try to make as non-technical as possible.
>
> First, in both cases a base undererstanding of the "Three way handshake"
> is required which is required in all TCP/IP connections.
> More extensive descriptions with the actual command can be found but
> this is a very brief description
>
> Client machine makes initial connection to Server, inludes a number it
> will use for the ISN which is based on a complicated
> algorithm. All other packets returned during this session will be
> incremented by one starting from the ISN, and this is the
> "security." If any packet arrives at the Server with the wrong number,
> it will be discarded.
>
> Server returns a packet acknowledging receipt of the "secret" Client
> ISN, and sends its own ISN to the Client which the Client will
> use for evaluating security exactly as on the Server. This includes the
> Client's ISN incremented by one to "prove" identity.
>
> Client sends a packet back to the Server acknowledging receipt of the
> Server's ISN and is ready to commence the data exchange
> portion of the session.
>
> Active IP Spoofing
> After a valid session by a real client is in progress with a Server, a
> compromised router "in the middle" can capture, monitor and
> maybe even store the traffic.
>
> At some point the Attacker on this compromised router can feel he has
> accumulated sufficient information about the session to create
> a DoS against one of the two machines (I'll say the Client in this
> example) to take it offline and step in impersonating the offline
> machine. In this case, the victim (The Server) believes it's still
> communicating with the offline machine because the sequence
> numbers are still consecutive and the data from the Attacker is
> consistent with the overall "conversation."
>
> This is an "Active" IP Spoof because the Attacker is actively carrying
> on the conversation with the victim.
>
> This attack is not too difficult to execute but requires compromising an
> intermediate router. Also, I do not know of any way that
> this attack can be carried out against a Loopback address unless the
> Victim is also compromised (ie. redirecting the loopback
> address)
>
> Blind IP Spoofing
> In this case, the Attacker does not require compromising an intermediate
> router, but relies instead on guessing the ISN. The ISN
> does not have to be guessed exactly with a single guess, the Cisco
> vulnerability earlier this year demonstrated that it's only
> necessary to accurately guess a number of likely candidate numbers, that
> number of candidate numbers probably varies according to
> what kinds of defenses the Victim might employ recognizing an unusual
> number of improper ISNs (usually no defense) and available
> bandwidth. Also, according to my analysis any ISA or Windows event might
> actually be the result of tens, or hundreds of dropped
> packets, not a single packet you might expect. Only a NetMon trace is
> likely going to provide enough detail if wished.
>
> Although Blind IP Spoofing is thought to be very difficult, there are
> numerous recountings how an attacker can probe to discover the
> likely "next" ISN, ie. make an initial valid connection and maybe even a
> series of connections to attempt to discover a pattern. If
> the Attacker can be assured of constructing the next session, then the
> ISN algorithm's strength is all important making it difficult
> to guess because the Attacker <knows> that the next number will be based
> on the last number of the previous session.
>
> I suspect though that it's more likely that when discussing a possible
> SMTP Blind Spoof attack for the purpose of massive spamming,
> the attack makes most sense being made against broad subnet address
> ranges so that a "try" is being made against any number of
> machines simultaneously. I have not analyzed this last method too much
> but feel it's logical and therefor likely... and is
> consistent with spamming attacks because spammers are indiscriminate
> looking for vulnerable machines.
>
> So, in a Blind IP Spoof attack, the Attacker needs to guess the victim's
> IsN and there are a number of ways to improve the
> probability of success. The other thing to note is that an ISN's degree
> of vulnerability is entirely based on mathematics, there is
> no such thing as impossible, only the degree of difficulty and when
> Microsoft last modified the ISN algorithm it injected a TimeDate
> stamp parameter which I believe has shortcomings because it's a publicly
> available parameter. IMO it would have been better and
> maybe the next modification will have a private, machine-specific
> parameter which also might be re-cycled/re-calculated periodically
> so that like Passwords an Attacker can't assume that <every> Windows
> machine will calculate the ISN exactly the same way or be the
> same long enough to discover what the proper calculation is.
>
> Note that although the ISN is guessed, in a Blind Spoof Attack, the
> victim's responses never are actually passed to the Attacker
> because the Attacker hasn't "acquired" the spoofed address which would
> enable the packets to be routed to him. In the case of
> 127.0.0.1, this is why Active Spoofing can't be a possibility but Blind
> IP Spoofing is. All outbouund packets from the victim are
> routed into a black hole and disappear.
>
> So, let's take a look at what happens.
> Attacker constructs a three way handshake with the Victim without any
> return packets, ie.
> Attacker initiates session sending its IsN
> Victim responds acknowledging receipt of Attacker's ISN and sends its
> own ISN
> Attacker never receives Victim's ISN but has guessed the Server's ISN,
> so sends the next packet with the guessed sequence number.
> Victim accepts the packet because it has the correct sequence number and
> sends a response with the next sequence number.
> Attacker continues sending packets with guessed sequence numbers without
> receiving any in return anticipating at every step of the
> way the response of the victim.
>
> Hence, the "Blind" part of this method... The Attacker is completely
> blind but can anticipate and predict completely the responses
> of the Victim. and in the case of SMTP, the "conversation" is completely
> predictable because in an anonymous exchange of commands
> the destination server does little more than say, "I got it, next."
>
> My last comment regarding "Stateful Inspection" is that whether this
> will be effective combating any kind of IP Spoofing (and other
> situations) will depend on how it's implemented, but AFAIK a minimal
> approach based on the IPv4 specification does not provide
> sufficient basis to detect what I've described here. When a Blind IP
> Spoof victim sends packets to 127.0.0.1(for example which would
> be an obvious spoof if it actually originate on the machine), it will
> consider the session complying with "statefulness" until the
> packet is considered dropped and as long as packets do not carry some
> unique parameter (ie. IPSec). And, since the next response is
> received as expected from the same spoofed IP address, the previous
> packet is considered delivered and statefulness is maintained.
>
> Tony Su
>
>
>
>
>
>
>
>
>
>
> As well you can find more info at http://groups.yahoo.com/group/sbs2k
> Yahoo! Groups Links
>
>
>
>
>
>
>
>
> ------------------------ Yahoo! Groups Sponsor --------------------~-->
> $9.95 domain names from Yahoo!. Register anything.
> http://us.click.yahoo.com/J8kdrA/y20IAA/yQLSAA/dpFolB/TM
> --------------------------------------------------------------------~->
>
> As well you can find more info at http://groups.yahoo.com/group/sbs2k
> Yahoo! Groups Links
>
> <*> To visit your group on the web, go to:
> http://groups.yahoo.com/group/sbs2k/
>
> <*> To unsubscribe from this group, send an email to:
> sbs2k-unsubscribe@xxxxxxxxxxxxxxx
>
> <*> Your use of Yahoo! Groups is subject to:
> http://docs.yahoo.com/info/terms/
>
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tradtke@xxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
