The other big threat at the network layer is spoofing, i.e. actively inserting fake packets into the network. One very common spoofing attack used to be against services such as rlogin or NFS that can perform access control based on the client's IP address.
For instance, user joe can tell the rlogin daemon that anyone by the name of jack connecting from host zappa.yoyodyne.com should be logged in without asking for a password. Does that sound like it's asking for unwanted attention from crackers? Sure it does! All an attacker has to do in order to compromise jack's account is to send packets to the victim host appearing to originate from zappa.yoyodyne.com, indicating that jack wants to log into joe's account.
This explanation makes the attack sound exceedingly trivial. It is in fact a tad more complex, and requires a fair degree of technical finesse. But there's no magic involved.
By way of explanation, recall that rlogin is a TCP based service. TCP connection setup requires a handshake before the first data can actually be transmitted. During this handshake, client and server exchange two 32 bit integer values called initial sequence numbers, or ISNs. The server must know the ISN picked by the client before it can send any data, and vice versa. Thus, in order to get past the handshake phase, the attacker must know the ISN chosen by the victim. This requires that the attacker actually can either see the victim's responses to the host the attacker is trying to impersonate, or guesses the correct ISN.
In other words, spoofing the rlogin service is quite easy if the attacker is able to observe the network traffic between the intended victim the and impersonated host.
However, guessing is not outright impossible either, despite the fact that an ISN can be any 32 bit number, i.e. one out of roughly four billion. However, ISNs cannot be totally random. In fact, on most operating systems from the early nineties, ISNs were very predictable, and the amount of guesswork required to spoof a TCP connection was almost trivial if you knew what clues to look for. Today, many operating systems make it a lot harder for an attacker to guess the correct ISN. But at the same time today's bandwidth makes it a lot easier for an attacker to simply try a huge number of possible ISNs.
XXX: Mention that ingress filtering at the perimeter router is a very effective defense against spoofing attacker from the Internet.
A second variety of spoofing attacks is session hijacking, i.e. injecting data into an existing network connection or even taking it over completely. For instance, if you're a security conscious person, you may use one-time passwords for remote login to defeat password sniffers.6.2 However an attacker may still be able to take over your session after you've logged in. Again, the attack requires that the attacker knows or guesses initial sequence numbers.
Both attacks are fairly easy if you can watch your victim's network traffic, but under some circumstances, they can also be successful without that ability; this is called blind spoofing.
Discussing these attacks in detail is beyond the scope of this book, but if you're interested in this topic, and want to read more about it, please refer to XXX: add references.
XXX: mention ARP poisoning, IP source routing