[Dshield] Spoofing Source Address Verification XP

security@admin.fulgan.com security at admin.fulgan.com
Tue Nov 27 08:48:21 GMT 2001


QM> Might I interject and say that the problem is that Windows XP, an
QM> end-user-marketed product, in the hands of inexperienced end-users, will
QM> provide hackers, internet terrorists, and script kiddies many more (AND
QM> easier) opportunities to wreak havok onto the internet.

How is that so ?? Granted, today's typical user is not able to protect
himself or herself against a hacker. But XP an opportunity ?? No way:
it will require more flexibility of the installer program, rewrite of
some tools in wide use and currently incompatible with windows NT and
also the incorporation of the notion of operating system security into
these tools. I see nothing here that can make it easier, on the
contrary.

QM> In fact it will
QM> provide them a much greater abundance of unsecured access like nothing we've
QM> seen before.

I'm sorry, but that's pure BS. What do you base that affirmation on ?
Raw socket ? Only a someone naive concerning network programming and
operating system might believe so. Then what else ?

QM> Do we simply "hope" that the default installation of the
QM> end-user XP will be secure enough, with it's integrated firewall, to keep
QM> hackers out in the first place? Based on M$'s track record, I predict this
QM> "hope" to be short-lived.

Firewalls don't keep hackers at bay. Not when they are unmonitored and
misconfigured (and you CAN'T properly configure them by default). What
protects a machine is the attention it's admin put in it's
configuration and maintenance, period.

There is no "hope" here: XP, being based one NT and integrating
notions of security, is inherently more secure than win9x. While this
is not enough, it means that end users now have the MEANS to protect
themselves, should they be willing to.


QM> -----Original Message-----
QM> From: Sean Graham [mailto:seangra at yahoo.com]
QM> Sent: Monday, November 26, 2001 2:21 PM
QM> To: dshield at dshield.org
QM> Subject: Re: [Dshield] Spoofing Source Address Verification XP


QM> Howdy all.

QM> Yeah, one other thing that the windows basher conveniently forgot is that 
QM> when you are root/admin, you have complete control over the system.  It 
QM> really doesn't matter *what* the OS provides to you, you can rewrite the OS 
QM> if you really wanted!  When you have the ability to access any memory in 
QM> the system unrestricted, it doesn't matter what front-level API is provided 
QM> to you, you can do whatever you want.  So that entire argument is 
QM> pointless, all WindowsXP is doing is providing an easier interface to the 
QM> users who would benefit from it since any admin user can do it anyways the 
QM> hard way (or should I say the easy way with 3rd party drivers), why not 
QM> provide an easy way so that the legitimate users can benefit?

QM> -- Sean

QM> At 07:22 AM 11/26/2001 -0800, you wrote:
>>At 12:51 AM 11/26/2001, you wrote:
>>>The ability to spoof IP addresses has been there all along as long as
>>>the pirate was willing to include his own library (for the record,
>>
>>    Oh?  My understanding was that until now, "Winblows" did not allow you 
>> to construct your own TCP/IP packets, so therefore could not be used to 
>> spoof IP addresses.
>>
>>
>>>winpcap is an open source device driver that will allow you both to
>>>sniff all packet reaching the NICs
>>
>>    I see the winpcap homepage, but I had always thought that a key step 
>> in sniffing was a hardware issue: having to set the NIC card to 
>> "promiscuous mode" (sp?) in order for it to pass to the OS all packets it 
>> receives (as opposed to just those addressed to it and dropping 
>> everything else).
>>
>>
>>>  In addition, one must add the win2k also had this
>>>ability for quite some time.
>>
>>    One would hope that a corporate machine with win2k would have 
>> sufficient protection to keep it from becoming a zombie, and that the 
>> high price of W2K would keep it out of the hands of most 
>> script-kiddies.  (One would *hope*, anyway.)
>>
>>
>>>No, hackers don't use spoofing, not because it's not available but
>>>because it uses illegal packets and, as such, are easy to detect and
>>>filter at the source with simple router rules, cutting the efficiency
>>>of the attack.
>>
>>    Yes, but how many systems have been discussed on this very list that 
>> _don't_ use "simple router rules"?  No internet router should carry 
>> 192.168.0.1, but there are plenty that do.  (I like that one guy who 
>> added his company's assigned IP range to the list of packets to be 
>> dropped if they're discovered coming in from the outside world--now 
>> that's thinking!)
>>
>>
>>>1/ Any NAT device will solve the problem. (as long as it's not the
>>>cause of the problem).
>>
>>    See previous comment.
>>
>>
>>>2/ Almost all routers can be easily configured to perform egress
>>>filtering (see http://www.sans.org/infosecFAQ/firewall/egress.htm).
>>
>>    See previous comment.
>>
>>
>>>3/ This is something that should be do on the first hop router. If
>>>you're concerned enough by this problem to look for gateway
>>>protection, you're very unlikely to be affected. Filtering on the
>>>first hop router would allow the ISPs to immediately find dangerous
>>>systems and shut them down.
>>
>>    See previous comment.
>>
>>
>>>As for the consumer, there are a variety of gateway firewall that will
>>>detect that
>>
>>[snip]
>>
>>>Finally, for the standalone user, a local firewall/IDS can probably
>>>detect outgoing spoofed packets. But again, if you have a local
>>>firewall, you're not likely to have been hacked ;)
>>
>>    You just made my point for me: Windows is hard enough to keep secure 
>> when you know what you're doing.  (If it weren't, we wouldn't have a 
>> worm-of-the-week that can take over PowerPoint.)  For the average user, 
>> who knows nothing, it's just a matter of time before they get trojaned 
>> and their machine becomes a zombie.  If my understanding is correct--that 
>> under previous Windows versions you couldn't construct your own IP 
>> packets--that means that floods could at least be traced back to zombie 
>> systems.  With XP, they can't be.
>>
>>
>>-Neil R.
>>--
>>Supreme Lord High Commander and Keeper of the Holy Potato
>>----------
>>Random thought for the day:
>>
>>    Let's do it write, uh, rite, uh, oh heck, just do it!
>>
>>_______________________________________________
>>Dshield mailing list
>>Dshield at dshield.org
>>To change your subscription options (or unsubscribe), see: 
>>http://www1.dshield.org/mailman/listinfo/dshield


QM> _________________________________________________________
QM> Do You Yahoo!?
QM> Get your free @yahoo.com address at http://mail.yahoo.com

QM> _______________________________________________
QM> Dshield mailing list
QM> Dshield at dshield.org
QM> To change your subscription options (or unsubscribe), see:
QM> http://www1.dshield.org/mailman/listinfo/dshield

QM> _______________________________________________
QM> Dshield mailing list
QM> Dshield at dshield.org
QM> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield



-- 
Best regards,
 security                            mailto:security at admin.fulgan.com




More information about the list mailing list