[Dshield] Spoofing Source Address Verification XP
mquibell at icn.state.ia.us
Tue Nov 27 19:31:53 GMT 2001
I suggest you read the entire thread here and concentrate on the
imlpications of full access to FULL RAW sockets, now available in XP AND
2000. This is the focus of the debate. And I suggest you read my previous
reply which includes links that will explain it to you in detail. Until
further educating yourself on the subject, I suggest you refrain from
commenting. Thank you for no further flaming.
ICN Network Operations Center
Data Operations Group
noc at icn.state.ia.us
From: security at admin.fulgan.com [mailto:security at admin.fulgan.com]
Sent: Tuesday, November 27, 2001 7:02 AM
To: Josh Ballard
Subject: Re: [Dshield] Spoofing Source Address Verification XP
JB> XP is not being called insecure because it has raw sockets.
Well, that was the original point of this thread, anyway...
JB> It's being
JB> called insecure because it has the name Microsoft on it. It's just that
JB> with raw sockets, that's one less hurdle for a script kiddy to cross to
JB> start blasting spoofed packets out onto the internet.
I'm sorry, I simply don't belive this. A spoofed packet, being
illegal, is easy to filter. What's so difficult with DDOS is that all
the packets are legits and cannot easily be filtered off at any point.
Why would scripts kiddies (or rather, the ones that program their
tools) trade an advantage for a disadvantage ?
Like I said so many times, it's almost trivial to build IP packets
from scratch from a device driver. And not only are these libraries
readily available, they are already included in several trojans!
JB> And since we all
JB> know that the first hurdle of getting access to the machine has been for
JB> the majority of the Microsoft OS's not a very big one, eliminating the
JB> second hurdle toward spoofing packets kind of makes for an interesting
JB> mix of things.
1/ XP is today much more difficult to penetrate than win9x: it is a
step in the right direction.
2/ (I wonder how many times I will have to repeate that until everyone
here has read and understood it) Packet spoofing has not been added to
XP. Packet spoofing (in the form of raw packet with header
modification) was present in the product that where vulnerable to code
red and easy to add to and win9x machine.
JB> Think about how small a worm like codered was, no extra
JB> BS to install to do what it did, and with something very similar to
JB> that, someone could have a big spoofing denial of service agent, instead
JB> of just a rapid spreading worm, without needing the aid of extra bloat
JB> to have to send and possibly get cut off on.
This kind of worm existed before (In fact, the first one was a Unix
worm that almost shut the whole net down). But the point isn't there:
Software bugs exist, you can't do anything about it. They don't exist
specifically in MS software, they exists in ANY software (Other
OSs/software are found to be vulnerable to the same kind of attack
almost daily). One MUST patch servers, one MUST protect unmanaged
machines from doing business on the outside world without going
through a firewall/virus detection system. That's the only possible
As for individual users, the only proper way to protect them is to
push the updates to their machine (btw that's the goal of windows
update and, while it's far from perfect, it is MUCH better than
nothing, especially since it will remind you when there is an update
JB> Also, without needing to
JB> install extra BS, it might be a little easier to slip something in on a
JB> "good" admin. Just my thoughts...
What do you mean here ??
JB> -----Original Message-----
JB> From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org] On
JB> Behalf Of Alexander Rayborn
JB> Sent: Monday, November 26, 2001 8:45 PM
JB> To: dshield at dshield.org
JB> Subject: RE: [Dshield] Spoofing Source Address Verification XP
JB> How is this any different than a default install of Windows 95 or 98
JB> that has client for Microsoft Networks and File and Printer Sharing
JB> enabled on the internet? XP's default security weaknesses are nothing
JB> new from Microsoft. I don't think XP deserves to be singled out for
JB> "inherent security weaknesses" because of the raw sockets support.
JB> Dshield mailing list
JB> Dshield at dshield.org
JB> To change your subscription options (or unsubscribe), see:
security mailto:security at admin.fulgan.com
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list