From owner-freebsd-hackers@FreeBSD.ORG Tue Sep 30 16:08:29 2008 Return-Path: Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A94410656C8 for ; Tue, 30 Sep 2008 16:08:29 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id C68048FC13 for ; Tue, 30 Sep 2008 16:08:28 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.3/8.14.3) with ESMTP id m8UG5xXT046012; Tue, 30 Sep 2008 18:06:00 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.3/8.14.3/Submit) id m8UG5xpr046010; Tue, 30 Sep 2008 18:05:59 +0200 (CEST) (envelope-from olli) From: Oliver Fromme Message-Id: <200809301605.m8UG5xpr046010@lurza.secnetix.de> To: wmoran@collaborativefusion.com (Bill Moran) Date: Tue, 30 Sep 2008 18:05:59 +0200 (CEST) In-Reply-To: <20080930115014.45a0cd88.wmoran@collaborativefusion.com> X-Mailer: ELM [version 2.5 PL8] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Tue, 30 Sep 2008 18:06:00 +0200 (CEST) Cc: freebsd-hackers@FreeBSD.ORG, pierre.riteau@gmail.com Subject: Re: SSH Brute Force attempts X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 16:08:29 -0000 Bill Moran wrote: > In response to Oliver Fromme : > > Pierre Riteau wrote: > > > > > Because the 3-way handshake ensures that the source address is not being > > > spoofed, more aggressive action can be taken based on these limits. > > > > s/not being spoofed/more difficult to spoofe/ ;-) > > On a modern OS (like FreeBSD) where ISNs are random, the possibility of > blindly spoofing an IP during a 3-way handshake is so low as to be > effectively impossible. It depends a lot on the environment, for example whether the attacker has access (or can somehow get access) to the server's uplink and trace packets. This can happen if the server is located with many other servers on the same network, which is often the case for co-location or so-called root servers. Of course, if the network is regarded "secure", then you are right. Spoofing a TCP handshake would be very difficult in that case. (I try to avoid the word "impossible". Nothing is impossible, especially in the security business.) Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd Python is executable pseudocode. Perl is executable line noise.