[Dshield] Spoofing Source Address Verification XP

Mrcorp mrcorp at yahoo.com
Tue Nov 27 16:09:59 GMT 2001


xp is the unix kernel.

--- Sean Graham <seangra at yahoo.com> wrote:
> Howdy all.
> 
> Yeah, one other thing that the windows basher conveniently forgot is that 
> when you are root/admin, you have complete control over the system.  It 
> really doesn't matter *what* the OS provides to you, you can rewrite the OS 
> if you really wanted!  When you have the ability to access any memory in 
> the system unrestricted, it doesn't matter what front-level API is provided 
> to you, you can do whatever you want.  So that entire argument is 
> pointless, all WindowsXP is doing is providing an easier interface to the 
> users who would benefit from it since any admin user can do it anyways the 
> hard way (or should I say the easy way with 3rd party drivers), why not 
> provide an easy way so that the legitimate users can benefit?
> 
> -- Sean
> 
> At 07:22 AM 11/26/2001 -0800, you wrote:
> >At 12:51 AM 11/26/2001, you wrote:
> >>The ability to spoof IP addresses has been there all along as long as
> >>the pirate was willing to include his own library (for the record,
> >
> >    Oh?  My understanding was that until now, "Winblows" did not allow you 
> > to construct your own TCP/IP packets, so therefore could not be used to 
> > spoof IP addresses.
> >
> >
> >>winpcap is an open source device driver that will allow you both to
> >>sniff all packet reaching the NICs
> >
> >    I see the winpcap homepage, but I had always thought that a key step 
> > in sniffing was a hardware issue: having to set the NIC card to 
> > "promiscuous mode" (sp?) in order for it to pass to the OS all packets it 
> > receives (as opposed to just those addressed to it and dropping 
> > everything else).
> >
> >
> >>  In addition, one must add the win2k also had this
> >>ability for quite some time.
> >
> >    One would hope that a corporate machine with win2k would have 
> > sufficient protection to keep it from becoming a zombie, and that the 
> > high price of W2K would keep it out of the hands of most 
> > script-kiddies.  (One would *hope*, anyway.)
> >
> >
> >>No, hackers don't use spoofing, not because it's not available but
> >>because it uses illegal packets and, as such, are easy to detect and
> >>filter at the source with simple router rules, cutting the efficiency
> >>of the attack.
> >
> >    Yes, but how many systems have been discussed on this very list that 
> > _don't_ use "simple router rules"?  No internet router should carry 
> > 192.168.0.1, but there are plenty that do.  (I like that one guy who 
> > added his company's assigned IP range to the list of packets to be 
> > dropped if they're discovered coming in from the outside world--now 
> > that's thinking!)
> >
> >
> >>1/ Any NAT device will solve the problem. (as long as it's not the
> >>cause of the problem).
> >
> >    See previous comment.
> >
> >
> >>2/ Almost all routers can be easily configured to perform egress
> >>filtering (see http://www.sans.org/infosecFAQ/firewall/egress.htm).
> >
> >    See previous comment.
> >
> >
> >>3/ This is something that should be do on the first hop router. If
> >>you're concerned enough by this problem to look for gateway
> >>protection, you're very unlikely to be affected. Filtering on the
> >>first hop router would allow the ISPs to immediately find dangerous
> >>systems and shut them down.
> >
> >    See previous comment.
> >
> >
> >>As for the consumer, there are a variety of gateway firewall that will
> >>detect that
> >
> >[snip]
> >
> >>Finally, for the standalone user, a local firewall/IDS can probably
> >>detect outgoing spoofed packets. But again, if you have a local
> >>firewall, you're not likely to have been hacked ;)
> >
> >    You just made my point for me: Windows is hard enough to keep secure 
> > when you know what you're doing.  (If it weren't, we wouldn't have a 
> > worm-of-the-week that can take over PowerPoint.)  For the average user, 
> > who knows nothing, it's just a matter of time before they get trojaned 
> > and their machine becomes a zombie.  If my understanding is correct--that 
> > under previous Windows versions you couldn't construct your own IP 
> > packets--that means that floods could at least be traced back to zombie 
> > systems.  With XP, they can't be.
> >
> >
> >-Neil R.
> >--
> >Supreme Lord High Commander and Keeper of the Holy Potato
> >----------
> >Random thought for the day:
> >
> >    Let's do it write, uh, rite, uh, oh heck, just do it!
> >
> >_______________________________________________
> >Dshield mailing list
> >Dshield at dshield.org
> >To change your subscription options (or unsubscribe), see: 
> >http://www1.dshield.org/mailman/listinfo/dshield
> 
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield


__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1




More information about the list mailing list