On 11/30/07, Platonides <Platonides(a)gmail.com> wrote:
*and* used for
DoS by anyone
who can spoof IP addresses (e.g., using AOL's different-IP-per-page
thing to block a big chunk of AOL users from logging into an account).
Can they? They would still need to perform the TCP handshake. I hope the
server's TCP sequence number aren't predictable!
You can handshake if you cycle through all the AOL addresses, as an
AOL subscriber (or any other ISP with similar features). Just
repeatedly enter wrong passwords, getting a different IP address
assigned for each time, until you've entered wrong passwords from
every address AOL is willing to assign you. Since you share the pool
with at least other AOL users in your region, none of them can log in
anymore to that user.
Otherwise you can spoof the handshake if the sequence numbers are
predictable, as you say.