OT: Security....

Scot L. Harris webid at cfl.rr.com
Thu Nov 4 18:06:28 UTC 2004

On Thu, 2004-11-04 at 12:14, HaJo Schatz wrote:
> On Thu, 2004-11-04 at 23:49, Scot L. Harris wrote:
> > At what point does the system log the ssh attempt?  If it is after the
> > initial 3 way handshake then I think an ssh attempt could be spoofed
> > without having to receive packets back from the target system.  From
> > what I can tell it appears that when you initiate an ssh attempt the
> > standard 3 way handshake is started.  You send a SYN packet, the target
> > sends a SYN ACK packet.  Normally since you would not get the SYN ACK
> > packet the connection would not be completed.  However if you
> > manufacture a ACK packet and send that a few seconds after you send the
> > SYN packet I think you would have a good chance of completing the
> > handshake.  If that gets logged as an SSH attempt then the active
> > response system in place may block the spoofed sender IP address.
> I have tried that. You have to have your login and password transmitted
> before the log entry appears through syslog (which makes sense, as the
> credentials appear in the log as well). I believe it's pretty hard to
> "pre-guess" (what a word) the authentication/encryption handshake to
> spoof an IP ;-)

That makes sense.  Will have to find some time to look at this a little
more.  :)

Scot L. Harris
webid at cfl.rr.com

Yield to Temptation ... it may not pass your way again.
		-- Lazarus Long, "Time Enough for Love" 

More information about the users mailing list