Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: tcp,guardent,bellovin

  • From: Jim Duncan
  • Date: Mon Mar 12 22:39:45 2001

Rafi Sadowsky writes:
>  No eavesdropping at all ? how can a TCP connection be hijacked if you're
> not on the connection path?
> (Or capable of diverting the connection past you -
>  breaking routers/source_routing/<whatever>.... )

The attacker merely has to get his data into the TCP stream on the 
victim host.  No return traffic necessary.  This means the attacker can 
be _outside_ the victim's network if source address forgery isn't 
prevented.  This is _not_ new; same attack Mitnick used on Shimomura.

If you're on the path, you certainly don't need to guess the TCP ISN to 
hijack a connection.  This isn't new, either. :-)

By the way, Cisco stuff that has the fix we advertised in the security
advisory a couple of weeks ago is *NOT* vulnerable to the attack
announced by Guardent.  The older stuff in IOS is not vulnerable either,
but some of our other products _are_ vulnerable.  Of course, we already
announced that at http://www.cisco.com/warp/public/707/advisory.html .

I'll be along with a more official announcement, but I figured I'd
mention it here, too.

	Jim


-- 
Jim Duncan, Product Security Incident Manager, Cisco Systems, Inc.
<http://www.cisco.com/warp/public/707/sec_incident_response.shtml>
E-mail: <jnduncan@cisco.com>  Phone(Direct/FAX): +1 919 392 6209







Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.