Re: IP spoofing/splicing references

osiris@pacificnet.net ("osiris@pacificnet.net")
Wed, 27 Aug 1997 00:36:42 -0700

IP-spoofing Demystified
Trust-Relationship Exploitation
by daemon9 / route / infinity
Volume Seven, Issue Forty-Eight, Phrack
http://www.fc.net/phrack/files/p48/p48-14.html

IPSPOOF.C (Spoofing source)
http://www.ilf.net/Toast/files/unix/ipspoof.c

This site contains both spoofing code, an analysis of that spoofing code
and a good description of how to implement such attacks:
http://main.succeed.net/~coder/spoofit/spoofit.html

A Weakness in the 4.2BSD Unix TCP/IP Software
Technical Report, AT&T Bell Laboratories, February 1985.
ftp://research.att.com/dist/internet_security/117.ps.Z

"Sequence Number Attacks" by Farrow:
http://www.wcmh.com/uworld/archives/95/security/001.txt.html

Bellovin on "Security Problems in the TCP/IP Protocol Suite":
ftp://research.att.com/dist/internet_security/ipext.ps.Z

Defending Against Sequence Number Attacks
S. Bellovin, Request for Comments: 1948. AT&T Research. May 1996
http://sunsite.auc.dk/RFC/rfc/rfc1948.html

Firewalls-Digest V5 #20
(Protracted discussion on-list)
http://tss.ca/~bob/Mail.Archive/firewalls-digest/0007.html

Shimomura's analysis:
http://www.wcmh.com/uworld/archives/95/security/001.add.html

BSDI's answer:
http://solaris1.mysolution.com/~rezell/files/text/bsdsyninfo.txt

Mail archive discussion (with fairly good explanation):
http://solaris1.mysolution.com/~rezell/files/text/spoofing.txt

INTERNET HOLES - ELIMINATING IP ADDRESS FORGERY
Decent discussion on how to prevent the attack from MANAGEMENT ANALYTICS
http://solaris1.mysolution.com/~rezell/files/text/ipaddressforgery.txt

Markoff's article:
http://www.geek-girl.com/bugtraq/1995_1/0128.html

ASK WOODY about SPOOFING ATTACKS
Bill Woodcock, Zocalo Engineering (woody@zocalo.com)
Good document that describes the anatomy of a spoofing attack:
http://www.netsurf.com/nsf/v01/01/local/spoof.html

TCP/IP Spoofing Fundamentals, N. Hastings (Iowa State University, USA)
and P. Mclean
(Andersen Consulting) (IEEE IPCCC'96, IEEE International Phoenix
Conference on Computers and Communications, March 27-29, 1996, Phoenix,
Arizona, USA)

Tuning Digital UNIX against TCP SYN Flooding and IP Spoofing Attacks
http://www.digital.com/info/internet/document/ias/avoidtcpsynattack.html

TCP SYN Flooding and IP Spoofing Attacks (3 Com & CERT)
http://www.3com.com/nsc/certwarn.html

Steven M. Bellovin and Michael Merritt (Brief mention of spoofed
sessions)
Limitations of the Kerberos Authentication System
USENIX Conference Proceedings, pp. 253-267, USENIX, Winter 1991.
ftp://research.att.com/dist/internet_security/kerblimit.usenix.ps

Matt Blaze
Protocol Failure in the Escrowed Encryption Standard
Technical Report, AT&T Bell Laboratories, June 1994.
ftp://research.att.com/dist/mab/eesproto.ps

Marcus Ranum
Making Your Enterprise Network Safe: How to Plan Internet Security and
Firewalls
http://penta.ufrgs.br/gereseg/t6am.txt

(This has been a public service from the folks at http://www.gnss.com)

Travis Hassloch wrote:
>
> In message <Pine.SUN.3.93.970824112505.11368S-100000@ramon>, Rafi Sadowsky writ
> es:
> >Other sources:
>
> Laurent Joncheray, "A Simple Attack Against TCP",
> Proceedings of the Fifth USENIX UNIX Security Symposium, page 7
>
> (proper reading order is chronological; Morris -> Bellovin -> Joncheray)
>
> Note that the old "hotwired" article that started this thread
> slightly confuses IP spoofing and splicing.