COMMAND

    ip

SYSTEMS AFFECTED

    Machines  behind  any  firewall  (or  not  behind a firewall) that
    does not filter out inside addresses coming from outside.

    Machines on a  local network w/o  a properly configured  filtering
    router between that machine and the attacker.

PROBLEM

    IP Spoofing is  when an intruder  "pretends" that he  is a machine
    that you trust (usually an  internal machine).  The intruder  does
    this by substituting the IP  address of the "trusted" machine  for
    his IP address in all of the outgoing packets.  The machine  being
    attacked, target.victim.com  then believes  that the  intruder is,
    in  fact,  the  machine  that  it  "trusts"  and  gives it access.
    Examples of  trusted machines  are machines  that are  in the file
    /etc/hosts.equiv or in  any .rhosts files.   Trusted machines  can
    also be  machines that  drives are  NFS mounted  to.  The attacker
    can discover these machines through any number of ways.  They  can
    showmount  -e   target.victim.com  and   find  out   who   certain
    filesystems  are  mounted  to,  and  rpcinfo can give out valuable
    information as well.   Once the attacker  knows your machine,  and
    the IP address of another trusted machine, he can attack.

    The attack is made  possible by easily predicted  sequence numbers
    in the TCP/IP  protocol (sequence numbers  are number used  in the
    packet  headers  to  keep  everything  in  order  and  to ensure a
    reliable  connection).    Under   most  implementations   sequence
    numbers increase  by 128,000  with every  new packet  attempting a
    connection,  and  they  increase  by  64,000 with every new packet
    once  a  connection  is  established.   Sequence  numbers  can  be
    predicted by  having an  intruder attempt  a legitimate connection
    to your machine, and watching the  packets as they get to his  own
    machine.  Once the attacker  knows all of this information  he can
    send  packets  with  the  trusted  machine's  IP  address  and the
    appropriate sequence numbers and attempt   a  connection.     This
    is  usually   done  as  root   or superuser on his machine so  the
    connection     looks      like     it      is     coming      from
    root@spoofed.victim.com,     a       machine     trusted        by
    target.victim.com.  Usually the  attack takes the form  of rsh-ing
    in   as   root   and   depositing   an   .rhosts   file  with  the
    entry "+ +".  Spoofing can  also be used in conjunction with  many
    other types of attacks.

SOLUTION

    disable ALL "r-services" on your machines.
    disallow ALL packets  coming in from  the OUTSIDE of  your network
    with IP addresses of machines that are INSIDE your network.
    Randomize your sequence numbers (see below)
    Encrypt your network traffic

    Get HP patch #5361.
    This will tell you how to get it.  It will randomize your sequence
    numbers.

    Netlog
    can  watch  your  packets  and  look  for  anything coming in from
    OUTSIDE that  has both  source and  destination IP  addresses from
    the INSIDE