From owner-freebsd-current Wed May 22 17:50:48 1996 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA17207 for current-outgoing; Wed, 22 May 1996 17:50:48 -0700 (PDT) Received: from apocalypse.superlink.net (root@apocalypse.superlink.net [205.246.27.150]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id RAA17192 for ; Wed, 22 May 1996 17:50:43 -0700 (PDT) Received: (from marxx@localhost) by apocalypse.superlink.net (8.7.5/8.7.3) id QAA04251; Wed, 22 May 1996 16:59:39 -0400 (EDT) Date: Wed, 22 May 1996 16:59:39 -0400 (EDT) From: "Charles C. Figueiredo" To: "Brett L. Hawn" cc: current@freebsd.org Subject: Re: freebsd + synfloods + ip spoofing (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 22 May 1996, Brett L. Hawn wrote: > On Wed, 22 May 1996, Charles C. Figueiredo wrote: > > > FreeBSD has an excellent tcp sequence prediction system, read your > > /usr/src/sys/netinet, then go read Solaris 2.5's tcp.c and compare. > > Look at tcp_random18() for example (a macro). I'de also like to know > > what you were attempting w/ TCP sequence prediction, if it was just how > > hard it was to hose the system w/ SYN bits, that's irrelevant to our > > number generator and the reliability of the implementation. That's > > dependant on the fact that the system is 4.4BSD based, which there's > > nothing wrong with. Now, if you're going to tell me that you tried to > > exploit r* services using tcp sequence prediction through port 513, well > > wrappers take care of that, I'de like to see you sequence a full-duplex > > connection based service, and prove FreeBSD cannot handle just as well as > > any other Unix. I want to know what you're doing w/ your experiments. > > You're merely giving me lists of stuff that's known by everyone. > > > Now I see where you dug the port 513 out of, you're the one who mentioned > it, not me. > > Ok, lets see here, right off the top of my brain I could easily spoof you on > IRC and cause you a great deal of pain (having been the victim of one such > spoof I can tell you just how much pain it can cause). Next down the line > would be 'secure' systems that rely on IP/FQDN for their interaction, I > don't need a full duplex connection, all I need to do is get on and do what > I mean to do. So I can't see whats coming back, if I have a well thought out > plan its my guess that I don't need to see whats coming back. The idea is > not to create a full duplex connection, the idea is to 1: knock you out of > service, 2: disrupt your service, 3: connect long enough one way to get > something done that will allow me to sneak in via a new backdoor, 4: lord > only knows what else those minds which are more creative than I have though > of. > > Brett > > Spoofing irc is no big deal, really. No, you don't need to work in full-duplex, but if you manage to connect, you still have to login and gain root. If you want knock out service, or disrupt, or create backdoors, do it elegantly w/ hijacking. I invite you to have a shot at apocalypse.superlink.net. Managing to sequence connection based services is only worth the trouble when a network is firewalled, and even then, a good firewall is smart enough to stop sequencing attacks of the sort. Marxx