From owner-freebsd-security@FreeBSD.ORG Tue Aug 22 11:33:01 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E67616A4DA for ; Tue, 22 Aug 2006 11:33:01 +0000 (UTC) (envelope-from scheidell@secnap.net) Received: from secnap2.secnap.com (secnap2.secnap.com [204.89.241.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9750643D66 for ; Tue, 22 Aug 2006 11:32:57 +0000 (GMT) (envelope-from scheidell@secnap.net) X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Date: Tue, 22 Aug 2006 07:32:56 -0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: SSH scans vs connection ratelimiting Thread-Index: AcbFw4vyYQV0JexNTgKiwnLGtT0l5AAGq+3g From: "Michael Scheidell" To: "Uwe Doering" , Cc: Subject: RE: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 11:33:01 -0000 > -----Original Message----- > From: owner-freebsd-security@freebsd.org=20 > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Uwe Doering > Sent: Tuesday, August 22, 2006 4:09 AM > To: freebsd-security@FreeBSD.ORG > Subject: Re: SSH scans vs connection ratelimiting >=20 > that someone could fake a complete exchange like this from the remote=20 > via a TCP connection while using source IP address spoofing. My=20 > understanding so far is that source IP address spoofing from=20 > the remote=20 > works only with connectionless protocols like UDP and ICMP,=20 > or TCP SYN=20 > packets as a special case. Please correct me if I'm wrong. You are more or less correct. For all practical purposes, spoofing a three way tcp connection is impossible. (for all practical purposes) There is man in the middle attacks, routing hijacking, and possibly tcp connection id spoofing, but if you are using a modern os that does not suffer from connecting id guessing, its so hard to do that that only someone specifically trying to break into your network, who has the ability to sniff your traffic, might even have a ghost of a chance of doing this. (and if you already have the *keys from known_hosts, ssh will complain about it if it even gets that far) --=20 Michael Scheidell, CTO 561-999-5000, ext 1131 SECNAP Network Security Corporation Keep up to date with latest information on IT security: Real time security alerts: http://www.secnap.com/news