Re: Port Scanning.

From: robert@dyadsecurity.com
Date: Wed Dec 22 2004 - 15:47:12 EST

• Next message: Curt Purdy: "RE: [in] VPN protocols"
• Previous message: Keith Pachulski: "RE: VPN protocols"
• In reply to: robert@dyadsecurity.com: "Re: Port Scanning."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

robert@dyadsecurity.com(robert@dyadsecurity.com)@Wed, Dec 22, 2004 at
> The only thing that isn't currently easy to do is TCP full connection
> payload injection from spoofed IP's. We're working on a way to do
> that though :).

I know it's bad form to follow up on your own post... What I was
talking about in the last email was a way to actually introduce the TCP
3-way handshake (connection) payload stimulous to the remote IP from a
spoofed source. This is currently difficult on modern stacks.

However, many IPS/IDS's don't keep track of state, and you can actually
get the PSH/ACK TCP payload to trigger many IPS's from spoofed sources
now. By skipping the 3-way-handshake, the remote IP will obviously not
treat it as part of an established connection, but if IPS trigger DoS
was your goal, who cares.

Robert

-- 
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert@dyadsecurity.com
M - (949) 394-2033

• Next message: Curt Purdy: "RE: [in] VPN protocols"
• Previous message: Keith Pachulski: "RE: VPN protocols"
• In reply to: robert@dyadsecurity.com: "Re: Port Scanning."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:11 EDT