[Dshield] Spoofing Source Address Verification XP

Quibell, Marc mquibell at icn.state.ia.us
Mon Nov 26 22:21:54 GMT 2001


Might I interject and say that the problem is that Windows XP, an
end-user-marketed product, in the hands of inexperienced end-users, will
provide hackers, internet terrorists, and script kiddies many more (AND
easier) opportunities to wreak havok onto the internet. In fact it will
provide them a much greater abundance of unsecured access like nothing we've
seen before. Do we simply "hope" that the default installation of the
end-user XP will be secure enough, with it's integrated firewall, to keep
hackers out in the first place? Based on M$'s track record, I predict this
"hope" to be short-lived. 

Marc 




-----Original Message-----
From: Sean Graham [mailto:seangra at yahoo.com]
Sent: Monday, November 26, 2001 2:21 PM
To: dshield at dshield.org
Subject: Re: [Dshield] Spoofing Source Address Verification XP


Howdy all.

Yeah, one other thing that the windows basher conveniently forgot is that 
when you are root/admin, you have complete control over the system.  It 
really doesn't matter *what* the OS provides to you, you can rewrite the OS 
if you really wanted!  When you have the ability to access any memory in 
the system unrestricted, it doesn't matter what front-level API is provided 
to you, you can do whatever you want.  So that entire argument is 
pointless, all WindowsXP is doing is providing an easier interface to the 
users who would benefit from it since any admin user can do it anyways the 
hard way (or should I say the easy way with 3rd party drivers), why not 
provide an easy way so that the legitimate users can benefit?

-- Sean

At 07:22 AM 11/26/2001 -0800, you wrote:
>At 12:51 AM 11/26/2001, you wrote:
>>The ability to spoof IP addresses has been there all along as long as
>>the pirate was willing to include his own library (for the record,
>
>    Oh?  My understanding was that until now, "Winblows" did not allow you 
> to construct your own TCP/IP packets, so therefore could not be used to 
> spoof IP addresses.
>
>
>>winpcap is an open source device driver that will allow you both to
>>sniff all packet reaching the NICs
>
>    I see the winpcap homepage, but I had always thought that a key step 
> in sniffing was a hardware issue: having to set the NIC card to 
> "promiscuous mode" (sp?) in order for it to pass to the OS all packets it 
> receives (as opposed to just those addressed to it and dropping 
> everything else).
>
>
>>  In addition, one must add the win2k also had this
>>ability for quite some time.
>
>    One would hope that a corporate machine with win2k would have 
> sufficient protection to keep it from becoming a zombie, and that the 
> high price of W2K would keep it out of the hands of most 
> script-kiddies.  (One would *hope*, anyway.)
>
>
>>No, hackers don't use spoofing, not because it's not available but
>>because it uses illegal packets and, as such, are easy to detect and
>>filter at the source with simple router rules, cutting the efficiency
>>of the attack.
>
>    Yes, but how many systems have been discussed on this very list that 
> _don't_ use "simple router rules"?  No internet router should carry 
> 192.168.0.1, but there are plenty that do.  (I like that one guy who 
> added his company's assigned IP range to the list of packets to be 
> dropped if they're discovered coming in from the outside world--now 
> that's thinking!)
>
>
>>1/ Any NAT device will solve the problem. (as long as it's not the
>>cause of the problem).
>
>    See previous comment.
>
>
>>2/ Almost all routers can be easily configured to perform egress
>>filtering (see http://www.sans.org/infosecFAQ/firewall/egress.htm).
>
>    See previous comment.
>
>
>>3/ This is something that should be do on the first hop router. If
>>you're concerned enough by this problem to look for gateway
>>protection, you're very unlikely to be affected. Filtering on the
>>first hop router would allow the ISPs to immediately find dangerous
>>systems and shut them down.
>
>    See previous comment.
>
>
>>As for the consumer, there are a variety of gateway firewall that will
>>detect that
>
>[snip]
>
>>Finally, for the standalone user, a local firewall/IDS can probably
>>detect outgoing spoofed packets. But again, if you have a local
>>firewall, you're not likely to have been hacked ;)
>
>    You just made my point for me: Windows is hard enough to keep secure 
> when you know what you're doing.  (If it weren't, we wouldn't have a 
> worm-of-the-week that can take over PowerPoint.)  For the average user, 
> who knows nothing, it's just a matter of time before they get trojaned 
> and their machine becomes a zombie.  If my understanding is correct--that 
> under previous Windows versions you couldn't construct your own IP 
> packets--that means that floods could at least be traced back to zombie 
> systems.  With XP, they can't be.
>
>
>-Neil R.
>--
>Supreme Lord High Commander and Keeper of the Holy Potato
>----------
>Random thought for the day:
>
>    Let's do it write, uh, rite, uh, oh heck, just do it!
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www1.dshield.org/mailman/listinfo/dshield


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list