OT: Security....

James Wilkinson james at westexe.demon.co.uk
Tue Nov 2 13:25:56 UTC 2004 

I posited:
> Imagine you're sitting in Power Cable, Nebraska, attacking a
> computer in Nether Wallop, UK, and spoofing a computer in
> Henley-on-Todd, Australia. You send a packet to the UK, which replies to
> it. But it sends the reply to Australia: you never see it.
> 
> But you need to see data from that packet to be able to continue the
> connection.

Joel asked:
> I think I am fairly clear on SSH, that two-way conversation is key to
> making the security techniques SSH uses work. The two-way-ness probably
> needs to be emphasised here because some members of this list have not
> picked up on it yet.

Yes, this is true. But before SSH can do anything, it relies on the OS
setting up a TCP connection. That is inherently two-way, too.

> I suppose I'm not being very clear. But what is the
> technical difference between spoofing IP and simply temporarily using an
> IP that is not assigned to you?

Terminology...

> For instance, in the example you provide, how do we guarantee that Joe
> Cracker hasn't 0wn3d the DNS server(s) that the computer in Nether
> Wallop is referencing?

DNS is used less than you think. The Nether Wallop computer gets a
connection from an IP address, and replies to that IP address. It may do
a reverse DNS lookup, but unless that's used for hosts.allow or for
logging, it doesn't actually need it for the connection. SSH certainly
works where there is no DNS, no reverse DNS, and (presumably) where you
have one domain name pointing at mutliple IP addresses.

> Or that he hasn't simply 0wn3d the box in
> Henley-on-Todd and thinks he has covered his tracks, so that he doesn't
> care whether the box in Australia gets removed from the 'net? 

If he has compromised the box, he can remove it from the net quite
happily *anyway*. He could, I suppose, set up a system whereby the Power
Cable computer sent a packet as if from the Australian computer. The UK
server would receive it and respond to the Australian computer, which
would send it on somehow to the Power Cable computer. But this doesn't
buy him much: while he's using such a set-up, his inbound packets are
blocked after they trip the lockout (they look as though they come from
the cracked Australian computer).

He does still have his own, valid, IP address to use. So he's got
himself two IP addresses to "throw away". 

But he had that anyway: it would have been much simpler simply to have
probed from the Australian computer in the first place.

Now if you're suggesting that Joe Cracker has a network of compromised
hosts, and can try things from one after another until he finds a valid
connection, then you've got a better point. And I shouldn't be surprised
if determined crackers do try different probes from different machines,
simply to help them cover their traces.

(In my experience, too, casual crackers will try a particular probe
against a wide swathe of computers. Then if they want to try another
probe, they'll look at another swathe. 

It takes more than a single probe for most sysadmins to report it, and
it takes reports of more than one probe for ISPs to care about it. The
casual cracker will feel, accurately, that it's very unlikely that
there'll be enough complaints against him for any action to be taken.
Such is life on the Net in the twenty-first century...)

James.

-- 
E-mail address: james | ... in our completely unscientific usability study,
@westexe.demon.co.uk  | it took our subjects less than 10 seconds to locate
                      | the Solitaire game. We're not sure what else the
                      | corporate desktop needs. -- Michael Hall, Serverwatch

More information about the fedora-list mailing list