Buổi sáng các hoạt động cuộc họp đã được thêm vào tập trung vào mở và định kỳ ăng cường năng lực của Target Đây có lẽ là biện pháp khắc phục hiệu quả nhất cho các cuộc tấn công từ chối dịch vụ. Nó cũng có thể là đắt nhất. Nếu họ đang tràn ngập mạng của chúng tôi, | The Small Services 71 ularily of this scheme is tied to the level of the requesting machine not an individual. There is no protection against unauthorized users connecting from that machine to an X11 server. IP spoofing and hijacking tools are available on the Internet. A second mechanism uses a so-called magic cookie. Both the application and the server share a secret byte string processes without this string cannot connect to the server. But getting the string to the server in a secure fashion is difficult. One cannot simply copy it over a possibly monitored network cable or use NFS to retrieve it. Furthermore a network eavesdropper could snarf the magic cookie whenever it was used. A third X11 security mechanism uses a cryptographic challenge response scheme. This could be quite secure however it suffers from the same key distribution problem as does magic cookie authentication. A Kerberos variant exists but of course it s only useful if you run Kerberos. And there s still the issue of connection-hijacking. The best way to use X11 these days is to confine it to local access on a workstation or to tunnel it using ssh or IPsec. When you use ssh it does set up a TCP socket that it forwards to X11. hut the socket is bound to with magic cookie authentication using a local randomly generated key on top of that. That should be safe enough. xdm How does the X server the local terminal remember tell remote clients to use it In particular how do X terminals log you in to a host An X terminal generates an X Display Manager Control Protocol XDMCP message and either broadcasts it or directs it to a specific host. These queries are handled by the xdm program which can initiate an xlogin screen or offer a menu of other hosts that may serve the X host. Generally Xdm itself runs as root and has had some security problems in the past . CERT Vendor-Initiated Bulletin VB-95 08 . Current versions are better but access to the xdm service should be limited to hosts