TCP Spoofing Details

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Dear all,

I would like to get some details on the tcp spoofing attack.

I thought it involved source routing (IP option), but this is supposed
to only affects the attacker's packets, not the replies. Doesn't the
source routing affect the reply route in a way or another?

Has anyone a proof of concept source code?

Kind regards
Ludovic Joly

Re: TCP Spoofing Details

Quoted text here. Click to load it

I have to correct my response in the other thread.  I just checked RFC
793, and it says:

    If the lower level is IP (or other protocol that provides this
    feature) and source routing is used, the interface must allow the
    route information to be communicated.  This is especially important
    so that the source and destination addresses used in the TCP
    checksum be the originating source and ultimate destination. It is
    also important to preserve the return route to answer connection

RFC 1122 goes into further detail:

            When a TCP connection is OPENed passively and a packet
            arrives with a completed IP Source Route option (containing
            a return route), TCP MUST save the return route and use it
            for all segments sent on this connection.  If a different
            source route arrives in a later segment, the later
            definition SHOULD override the earlier one.

This explains why it's so important to block source-routed packets at
your network periphery.

Barry Margolin,
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: TCP Spoofing Details

Thanks very much for going through the RFCs and answer this question. I
couldn't imagine anymore yesterday how the attack could be (or have
been) realistic.

Re: TCP Spoofing Details

Quoted text here. Click to load it

TCP is as secure as the sequence numbers are not easily predictable.

Quoted text here. Click to load it

You'll find some here:

Instead of using TCP packets for reset attacks, you could insert data
into a connection, too, as described here:

A comparison about different TCP implementations and how vulnerable they
are, you'll find here: /

Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
    Dietz Pröpper in d.a.s.r

Site Timeline