From owner-freebsd-hackers@FreeBSD.ORG Tue Sep 30 16:15:50 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4BF081065687 for ; Tue, 30 Sep 2008 16:15:50 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.24]) by mx1.freebsd.org (Postfix) with ESMTP id F03D88FC08 for ; Tue, 30 Sep 2008 16:15:49 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by qw-out-2122.google.com with SMTP id 9so25720qwb.7 for ; Tue, 30 Sep 2008 09:15:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=bNIGQwNi3LYmGv45o86Q5AT43bHOPjmFyL5wzSGS+uA=; b=VLwbkv3owqgqey66En69yN2LXc0QwRliSvHO4XXf2eHSsbKQ8+ZVXwZ4LK2hhLfkli fICzCsIu2EScYxIgaPotqHfXxWga7j5zH3Lk1FHUmQ7vcSuQsObHjnobEdVSMCaSPEZ3 ZYOEJSG9OYkSWGCs7V2SvcTkk3axqBexfRNfg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=uHaN9O7P/OmQE45dJtMIFURbDFyPTW+B3mEP/DpSlCwWPB8wVndbKeGO0oBCdGhUMI hNyNr8HXMRIs3QscIe9MIVUv7fKX4L86XMkannh0N4U6YWeZcCJ91dcBkAQk1qEVRSVy /BWBpJKZWuuqCLGxxMwlYQKJB/8e09hr73oEc= Received: by 10.214.183.8 with SMTP id g8mr6634540qaf.72.1222791349005; Tue, 30 Sep 2008 09:15:49 -0700 (PDT) Received: by 10.214.243.20 with HTTP; Tue, 30 Sep 2008 09:15:48 -0700 (PDT) Message-ID: Date: Tue, 30 Sep 2008 17:15:48 +0100 From: "Igor Mozolevsky" Sender: mozolevsky@gmail.com To: "Oliver Fromme" In-Reply-To: <200809301605.m8UG5xpr046010@lurza.secnetix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20080930115014.45a0cd88.wmoran@collaborativefusion.com> <200809301605.m8UG5xpr046010@lurza.secnetix.de> X-Google-Sender-Auth: 44624d3bad59590a Cc: freebsd-hackers@freebsd.org, Bill Moran , pierre.riteau@gmail.com Subject: Re: SSH Brute Force attempts X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 16:15:50 -0000 2008/9/30 Oliver Fromme : > > Bill Moran wrote: > > In response to Oliver Fromme : > > > Pierre Riteau wrote: > > > > > > > Because the 3-way handshake ensures that the source address is not being > > > > spoofed, more aggressive action can be taken based on these limits. > > > > > > s/not being spoofed/more difficult to spoofe/ ;-) > > > > On a modern OS (like FreeBSD) where ISNs are random, the possibility of > > blindly spoofing an IP during a 3-way handshake is so low as to be > > effectively impossible. > > It depends a lot on the environment, for example whether > the attacker has access (or can somehow get access) to > the server's uplink and trace packets. This can happen > if the server is located with many other servers on the > same network, which is often the case for co-location > or so-called root servers. Yes, but in that situation you probably have the capacity to inject enough traffic into the pipe to cause a total blackout... > Of course, if the network is regarded "secure", then > you are right. Spoofing a TCP handshake would be very > difficult in that case. (I try to avoid the word > "impossible". Nothing is impossible, especially in > the security business.) Security is always about the balance between the effort+risk to you vs the effort+benefit to the attacker... -- Igor