What's new here? Attack-vectors for session-hijacking has been thoroughly discussed elsewhere, so there's no reason to repeat that here. But .... On Wed, 19 Jul 2006 02:02:20 -0500 (CDT), "Gadi Evron" <ge@linuxbox.org> said: [snip]
Description: Some ISP networks do not reset open TCP connections of customers that were either cut-off by the ISP or cut off by self-initiation. While it is responsibility of every person to terminate every open connection before link termination, when the ISP initiates this, it cannot be guaranteed.
You've got far more serious problems than session hijacking to worry about if your network permit an attacker to monitor who/when/where people are disconnected or to kick users off the network at will as would be required to succeed. Besides, to which extent do broadband networks: - permit users to choose their own address? - immediately reuse an address for an other user (unless the pool is exhausted)? //Per -- Per Heldal http://heldal.eml.cc/