On Sun, 2004-10-31 at 18:19, James Wilkinson wrote: > Joel wrote (about SSH attacks): > > The guys that are not smart enough to spoof the IP when they try to > > climb in are usually on DHCP, or at a netcafe, or at a school where they > > are more than half likely to get kicked out. > > I refer the honourable Joel to my previous response. > > In particular, you can't really spoof IP addresses on SSH sessions. The > server needs to be able to get packets back to the (possibly attacking) > client, which means the client's IP address must be routable. > > James. At what point does the system log the ssh attempt? If it is after the initial 3 way handshake then I think an ssh attempt could be spoofed without having to receive packets back from the target system. From what I can tell it appears that when you initiate an ssh attempt the standard 3 way handshake is started. You send a SYN packet, the target sends a SYN ACK packet. Normally since you would not get the SYN ACK packet the connection would not be completed. However if you manufacture a ACK packet and send that a few seconds after you send the SYN packet I think you would have a good chance of completing the handshake. If that gets logged as an SSH attempt then the active response system in place may block the spoofed sender IP address. True, the sender would never get any packets back but that would not matter if they are simply trying to DOS a system using its own tools. There are two questions I don't know the answers to without doing some testing: 1. When is the SSH attempt logged, after the initial handshake or later on in the conversation. 2. what happens when the machine who's address is spoofed gets a SYN ACK that is did not send? I does not make any sense for the spoofed machine to send any kind of response to an unsolicited SYN ACK. I guess it might send a RST but since it is not waiting for a SYN ACK I think it would just drop the packet. This would work to the spoofers benefit since the machines who's address is being spoofed would not step on the spoofed packets being sent to the target machine. So that leaves the question of how far down the sequence do you need to spoof the traffic to get the system to log an SSH attempt? I agree that you would not be able to establish a complete connection with the system but then the topic that was being discussed was having a malicious hacker simply cause your own system to block important addresses from your own system. -- Scot L. Harris webid@xxxxxxxxxx Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984
