|
Posted by Barry Margolin on January 4, 2006, 11:44 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Dear all,
>
> I would like to get some details on the tcp spoofing attack.
>
> I thought it involved source routing (IP option), but this is supposed
> to only affects the attacker's packets, not the replies. Doesn't the
> source routing affect the reply route in a way or another?
>
> Has anyone a proof of concept source code?
>
> Kind regards
> Ludovic Joly
I have to correct my response in the other thread. I just checked RFC
793, and it says:
If the lower level is IP (or other protocol that provides this
feature) and source routing is used, the interface must allow the
route information to be communicated. This is especially important
so that the source and destination addresses used in the TCP
checksum be the originating source and ultimate destination. It is
also important to preserve the return route to answer connection
requests.
RFC 1122 goes into further detail:
When a TCP connection is OPENed passively and a packet
arrives with a completed IP Source Route option (containing
a return route), TCP MUST save the return route and use it
for all segments sent on this connection. If a different
source route arrives in a later segment, the later
definition SHOULD override the earlier one.
This explains why it's so important to block source-routed packets at
your network periphery.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
| 
XML site map