Perp

They have: 8 posts

Joined: Nov 2005

-
My adversary's latest move has been to "FIN spoof", and to "RST-spoof" my server's tcp stack, so as to terminate "in-progress" downloads. (My customers have been receiving half-files) An Ethereal packet analysis proves that FIN spoofing is the cause of the terminated downloads. In order to restore full file downloads to my customers, I have been adjusting the firewall TCP flag set-up, and I think that may provide a solution.

However; it irritates me that someone would hack my telco connection. I would like to know who the culprit is, and I think that I may have only to consider a short list of prospects. Correct me if i'm wrong, but isn't it necessary to sniff the local line in order to determine the correct sequence numbers to use in the FIN-spoof attack that causes a file download to be terminated?

In other words, I *think* that the perpetrator must be between me and the local access point here for ma bell. (Which would narrow it down to a few blocks in area) In other words, this guy is one of my neighbors.

- rleesBSD

They have: 8 posts

Joined: Nov 2005

-
Technically, the spoofer could use an algorithm to "guess" the sequence number. While, in such a case, local sniffing might not be necessary in order to determine the sequence number, I am not sure how the attacker would divine the correct IP address.

I don't think that the perp is guessing anything, because most of my files are fairly small, and download quickly, and because the attacker is using only a couple bogus FIN packets per file, with a 75% success rate.
I am not getting a flood of overwelming numbers of bogus packets, such as would probably be necessary in order for a "guessing algorithm" to accomplish the task.

Am i right?

Two other things convince me that the culprit is between me and the Bellsouth access point:

1 - Most of my customers are not static (instead, they are fairly random public-internet customers) My guess is that the local wire could be sniffed to pick up the customer IP addresses.

2 - The bogus FIN packets are disproportionately directed to terminate zip, gz, and other archive file downloads.

- rleesBSD

-excuse my edits today --- to clean up the faux pas ... hard to write well when you're irritated Roll eyes

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.