[Dshield] Spoofing Source Address Verification XP

Quibell, Marc mquibell at icn.state.ia.us
Tue Nov 27 19:31:53 GMT 2001


Dear "Security",
I suggest you read the entire thread here and concentrate on the
imlpications of full access to FULL RAW sockets, now available in XP AND
2000. This is the focus of the debate. And I suggest you read my previous
reply which includes links that will explain it to you in detail. Until
further educating yourself on the subject, I suggest you refrain from
commenting. Thank you for no further flaming.

Marc Quibell
ICN Network Operations Center
Data Operations Group
noc at icn.state.ia.us





-----Original Message-----
From: security at admin.fulgan.com [mailto:security at admin.fulgan.com]
Sent: Tuesday, November 27, 2001 7:02 AM
To: Josh Ballard
Subject: Re[2]: [Dshield] Spoofing Source Address Verification XP


JB> XP is not being called insecure because it has raw sockets.

Well, that was the original point of this thread, anyway...

JB> It's being
JB> called insecure because it has the name Microsoft on it.  It's just that
JB> with raw sockets, that's one less hurdle for a script kiddy to cross to
JB> start blasting spoofed packets out onto the internet.

I'm sorry, I simply don't belive this. A spoofed packet, being
illegal, is easy to filter. What's so difficult with DDOS is that all
the packets are legits and cannot easily be filtered off at any point.
Why would scripts kiddies (or rather, the ones that program their
tools) trade an advantage for a disadvantage ?

Like I said so many times, it's almost trivial to build IP packets
from scratch from a device driver. And not only are these libraries
readily available, they are already included in several trojans!


JB> And since we all
JB> know that the first hurdle of getting access to the machine has been for
JB> the majority of the Microsoft OS's not a very big one, eliminating the
JB> second hurdle toward spoofing packets kind of makes for an interesting
JB> mix of things.

1/ XP is today much more difficult to penetrate than win9x: it is a
step in the right direction.
2/ (I wonder how many times I will have to repeate that until everyone
here has read and understood it) Packet spoofing has not been added to
XP. Packet spoofing (in the form of raw packet with header
modification) was present in the product that where vulnerable to code
red and easy to add to and win9x machine.


JB> Think about how small a worm like codered was, no extra
JB> BS to install to do what it did, and with something very similar to
JB> that, someone could have a big spoofing denial of service agent, instead
JB> of just a rapid spreading worm, without needing the aid of extra bloat
JB> to have to send and possibly get cut off on.

This kind of worm existed before (In fact, the first one was a Unix
worm that almost shut the whole net down). But the point isn't there:
Software bugs exist, you can't do anything about it. They don't exist
specifically in MS software, they exists in ANY software (Other
OSs/software are found to be vulnerable to the same kind of attack
almost daily). One MUST patch servers, one MUST protect unmanaged
machines from doing business on the outside world without going
through a firewall/virus detection system. That's the only possible
way.

As for individual users, the only proper way to protect them is to
push the updates to their machine (btw that's the goal of windows
update and, while it's far from perfect, it is MUCH better than
nothing, especially since it will remind you when there is an update
available).

JB> Also, without needing to
JB> install extra BS, it might be a little easier to slip something in on a
JB> "good" admin.  Just my thoughts...

What do you mean here ??

Good luck,
Stephane


JB> -----Original Message-----
JB> From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org] On
JB> Behalf Of Alexander Rayborn
JB> Sent: Monday, November 26, 2001 8:45 PM
JB> To: dshield at dshield.org
JB> Subject: RE: [Dshield] Spoofing Source Address Verification XP


JB> How is this any different than a default install of Windows 95 or 98
JB> that has client for Microsoft Networks and File and Printer Sharing
JB> enabled on the internet?  XP's default security weaknesses are nothing
JB> new from Microsoft.  I don't think XP deserves to be singled out for
JB> "inherent security weaknesses" because of the raw sockets support.

JB> --Alexander



JB> _______________________________________________
JB> Dshield mailing list
JB> Dshield at dshield.org
JB> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield



-- 
Best regards,
 security                            mailto:security at admin.fulgan.com

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list