SSH Brute Force attempts

Igor Mozolevsky igor at hybrid-lab.co.uk
Tue Sep 30 16:15:50 UTC 2008


2008/9/30 Oliver Fromme <olli at lurza.secnetix.de>:
>
> Bill Moran wrote:
>  > In response to Oliver Fromme <olli at lurza.secnetix.de>:
>  > > Pierre Riteau wrote:
>  > >
>  > > >      Because the 3-way handshake ensures that the source address is not being
>  > > >      spoofed, more aggressive action can be taken based on these limits.
>  > >
>  > > s/not being spoofed/more difficult to spoofe/  ;-)
>  >
>  > On a modern OS (like FreeBSD) where ISNs are random, the possibility of
>  > blindly spoofing an IP during a 3-way handshake is so low as to be
>  > effectively impossible.
>
> It depends a lot on the environment, for example whether
> the attacker has access (or can somehow get access) to
> the server's uplink and trace packets.  This can happen
> if the server is located with many other servers on the
> same network, which is often the case for co-location
> or so-called root servers.

Yes, but in that situation you probably have the capacity to inject
enough traffic into the pipe to cause a total blackout...

> Of course, if the network is regarded "secure", then
> you are right.  Spoofing a TCP handshake would be very
> difficult in that case.  (I try to avoid the word
> "impossible".  Nothing is impossible, especially in
> the security business.)

Security is always about the balance between the effort+risk to you vs
the effort+benefit to the attacker...


--
Igor


More information about the freebsd-hackers mailing list