Security Incidents: Re: Weird SSH attack last night and this morning (still ongoing)

[Valdis.Kletnieks () vt edu]

On Wed, 07 May 2008 10:53:35 PDT, Erin Carroll said:

> When I saw this hitting my servers last night I thought it an odd attack
> pattern but surmised it was either a targeted slow attack with spoofed IP's
Unless your operating system is *very* broken and doesn't do RFC1948 randomization
of the TCP Initial Sequence Number, using a spoofed ID just gets you a bunch
of sockets stuck in half-open state (SYN received, SYN/ACK send to the spoofed
source, no ACK back).  If it's gotten through the 3-packet handshake, you may
as well assume that it's a real IP address (or the attacker has already pwned
enough infrastructure that they can see the SYN/ACK you send, in which case
they control the horizontal and vertical and you're now in an Outer Limits
episode... ;)

Attachment: _bin
Description: