[Dshield] Spoofing Source Address Verification XP

Sean Graham seangra at yahoo.com
Tue Nov 27 08:16:13 GMT 2001


You, of course, can interject, however I would very much appreciate that 
you defend you position and explain *how* WindowsXP will do those things, 
especially in light of everything that we have all said on the 
topic.  Considering how all you have said is essentially "Windows XP will 
make it easier", and we have already explained in grave detail how, in 
fact, that is not the case, I would be very interested in hearing your 
arguments that we have not already covered.

-- Sean

At 04:21 PM 11/26/2001 -0600, you wrote:
>Might I interject and say that the problem is that Windows XP, an
>end-user-marketed product, in the hands of inexperienced end-users, will
>provide hackers, internet terrorists, and script kiddies many more (AND
>easier) opportunities to wreak havok onto the internet. In fact it will
>provide them a much greater abundance of unsecured access like nothing we've
>seen before. Do we simply "hope" that the default installation of the
>end-user XP will be secure enough, with it's integrated firewall, to keep
>hackers out in the first place? Based on M$'s track record, I predict this
>"hope" to be short-lived.
>
>Marc
>
>
>
>
>-----Original Message-----
>From: Sean Graham [mailto:seangra at yahoo.com]
>Sent: Monday, November 26, 2001 2:21 PM
>To: dshield at dshield.org
>Subject: Re: [Dshield] Spoofing Source Address Verification XP
>
>
>Howdy all.
>
>Yeah, one other thing that the windows basher conveniently forgot is that
>when you are root/admin, you have complete control over the system.  It
>really doesn't matter *what* the OS provides to you, you can rewrite the OS
>if you really wanted!  When you have the ability to access any memory in
>the system unrestricted, it doesn't matter what front-level API is provided
>to you, you can do whatever you want.  So that entire argument is
>pointless, all WindowsXP is doing is providing an easier interface to the
>users who would benefit from it since any admin user can do it anyways the
>hard way (or should I say the easy way with 3rd party drivers), why not
>provide an easy way so that the legitimate users can benefit?
>
>-- Sean
>
>At 07:22 AM 11/26/2001 -0800, you wrote:
> >At 12:51 AM 11/26/2001, you wrote:
> >>The ability to spoof IP addresses has been there all along as long as
> >>the pirate was willing to include his own library (for the record,
> >
> >    Oh?  My understanding was that until now, "Winblows" did not allow you
> > to construct your own TCP/IP packets, so therefore could not be used to
> > spoof IP addresses.
> >
> >
> >>winpcap is an open source device driver that will allow you both to
> >>sniff all packet reaching the NICs
> >
> >    I see the winpcap homepage, but I had always thought that a key step
> > in sniffing was a hardware issue: having to set the NIC card to
> > "promiscuous mode" (sp?) in order for it to pass to the OS all packets it
> > receives (as opposed to just those addressed to it and dropping
> > everything else).
> >
> >
> >>  In addition, one must add the win2k also had this
> >>ability for quite some time.
> >
> >    One would hope that a corporate machine with win2k would have
> > sufficient protection to keep it from becoming a zombie, and that the
> > high price of W2K would keep it out of the hands of most
> > script-kiddies.  (One would *hope*, anyway.)
> >
> >
> >>No, hackers don't use spoofing, not because it's not available but
> >>because it uses illegal packets and, as such, are easy to detect and
> >>filter at the source with simple router rules, cutting the efficiency
> >>of the attack.
> >
> >    Yes, but how many systems have been discussed on this very list that
> > _don't_ use "simple router rules"?  No internet router should carry
> > 192.168.0.1, but there are plenty that do.  (I like that one guy who
> > added his company's assigned IP range to the list of packets to be
> > dropped if they're discovered coming in from the outside world--now
> > that's thinking!)
> >
> >
> >>1/ Any NAT device will solve the problem. (as long as it's not the
> >>cause of the problem).
> >
> >    See previous comment.
> >
> >
> >>2/ Almost all routers can be easily configured to perform egress
> >>filtering (see http://www.sans.org/infosecFAQ/firewall/egress.htm).
> >
> >    See previous comment.
> >
> >
> >>3/ This is something that should be do on the first hop router. If
> >>you're concerned enough by this problem to look for gateway
> >>protection, you're very unlikely to be affected. Filtering on the
> >>first hop router would allow the ISPs to immediately find dangerous
> >>systems and shut them down.
> >
> >    See previous comment.
> >
> >
> >>As for the consumer, there are a variety of gateway firewall that will
> >>detect that
> >
> >[snip]
> >
> >>Finally, for the standalone user, a local firewall/IDS can probably
> >>detect outgoing spoofed packets. But again, if you have a local
> >>firewall, you're not likely to have been hacked ;)
> >
> >    You just made my point for me: Windows is hard enough to keep secure
> > when you know what you're doing.  (If it weren't, we wouldn't have a
> > worm-of-the-week that can take over PowerPoint.)  For the average user,
> > who knows nothing, it's just a matter of time before they get trojaned
> > and their machine becomes a zombie.  If my understanding is correct--that
> > under previous Windows versions you couldn't construct your own IP
> > packets--that means that floods could at least be traced back to zombie
> > systems.  With XP, they can't be.
> >
> >
> >-Neil R.
> >--
> >Supreme Lord High Commander and Keeper of the Holy Potato
> >----------
> >Random thought for the day:
> >
> >    Let's do it write, uh, rite, uh, oh heck, just do it!
> >
> >_______________________________________________
> >Dshield mailing list
> >Dshield at dshield.org
> >To change your subscription options (or unsubscribe), see:
> >http://www1.dshield.org/mailman/listinfo/dshield
>
>
>_________________________________________________________
>Do You Yahoo!?
>Get your free @yahoo.com address at http://mail.yahoo.com
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see:
>http://www1.dshield.org/mailman/listinfo/dshield
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www1.dshield.org/mailman/listinfo/dshield


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




More information about the list mailing list