[Dshield] Spoofing Address Verification XP

Quibell, Marc mquibell at icn.state.ia.us
Thu Nov 29 14:52:31 GMT 2001


Here Claude has hit the nail on the head. We all know this is nothing new.
XP is just adding, as I stated previously, many more easier targets. I don't
know much simpler I could've made this statement. Claude SHOULD be concered
more w/ XP because of it's soon-to-be dominance in the end-user market. Why
use linux when there are thousands more easier targets? And yes, XP does
allow ALL users access, if not restricted access, to the full raw sockets,
not just the admin. BTW if you can disprove Steve Gibson, please provide
evidence to the contrary.

It doesn't help a debate when some immature people start rambling about
their misinterpretation of syntax, such as RAW or raw. No difference. The
CAPS is a form of emphasizing.

In the end, we will see what XP will bring to the internet. It will make
code red and its' sisters look pale in comparisson. Stephan will tell us
that XP will not be used as trojan-bots. ANyone care to put a bet on that? I
will keep this email for that time.

Marc Quibell
ICN Network Operations Center
Data Operations Group
noc at icn.state.ia.us
1-800-572-3940




-----Original Message-----
From: Beauregard, Claude Q [mailto:CQBeauregard at aaamichigan.com]
Sent: Wednesday, November 28, 2001 9:11 AM
To: dshield at dshield.org
Subject: RE: [Dshield] Spoofing Source Address Verification XP


If I can throw in my 2 cents. The problem is not that WinXp introduces
anything new, it's the market 
share that makes this a possible problem. Linux requires some skill to do
what the Windows 
interface makes easy. That's the real worry. Microsoft actually should have
donne this some time
ago. My only concern is the continued lack of security in the product. While
this is true of the 
standard Linux install as well, Linux is not as prevelant. While WinXP
incorporates a FW application
users are not being given the information to properly implement it and of
course being the frustrated users
they are they will simply disable it. Education is the key and if Microsoft
provided the end user more
information on securing their product this threat could be reduced but then
again this is something
they don't even do for their MCSE's. But users themselves are the bigger
problem, they repeatedly download
attachements to emails without know what they are or allow ActiveX scripts
to run and when they are Trojaned 
or Virus infected they wonder why. I'm more concerned about the uneducated
user then MS.

By the way Internet terrorist and hackers don't need WinXP they been using
Linux for this purpose for years.
I don't really care about script kiddies they always get caught anyway
because they spend to much time bragging about
their exploits in IRC chat rooms (no professionalism)

-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Quibell, Marc
Sent: Tuesday, November 27, 2001 1:11 PM
To: 'dshield at dshield.org'
Subject: RE: [Dshield] Spoofing Source Address Verification XP


http://grc.com/dos/xplaughter.htm This site appears to be down, but perhaps
since he has already explained it in great detail, I do not have to, and I
do not feel the need to get you to understand the implications...Search on
Steve Gibson topics if you cannot get there. Surely there are other sites
with the article....

Marc 



-----Original Message-----
From: Sean Graham [mailto:seangra at yahoo.com]
Sent: Tuesday, November 27, 2001 2:16 AM
To: dshield at dshield.org
Subject: RE: [Dshield] Spoofing Source Address Verification XP


You, of course, can interject, however I would very much appreciate that 
you defend you position and explain *how* WindowsXP will do those things, 
especially in light of everything that we have all said on the 
topic.  Considering how all you have said is essentially "Windows XP will 
make it easier", and we have already explained in grave detail how, in 
fact, that is not the case, I would be very interested in hearing your 
arguments that we have not already covered.

-- Sean

At 04:21 PM 11/26/2001 -0600, you wrote:
>Might I interject and say that the problem is that Windows XP, an
>end-user-marketed product, in the hands of inexperienced end-users, will
>provide hackers, internet terrorists, and script kiddies many more (AND
>easier) opportunities to wreak havok onto the internet. In fact it will
>provide them a much greater abundance of unsecured access like nothing
we've
>seen before. Do we simply "hope" that the default installation of the
>end-user XP will be secure enough, with it's integrated firewall, to keep
>hackers out in the first place? Based on M$'s track record, I predict this
>"hope" to be short-lived.
>
>Marc
>
>
>
>
>-----Original Message-----
>From: Sean Graham [mailto:seangra at yahoo.com]
>Sent: Monday, November 26, 2001 2:21 PM
>To: dshield at dshield.org
>Subject: Re: [Dshield] Spoofing Source Address Verification XP
>
>
>Howdy all.
>
>Yeah, one other thing that the windows basher conveniently forgot is that
>when you are root/admin, you have complete control over the system.  It
>really doesn't matter *what* the OS provides to you, you can rewrite the OS
>if you really wanted!  When you have the ability to access any memory in
>the system unrestricted, it doesn't matter what front-level API is provided
>to you, you can do whatever you want.  So that entire argument is
>pointless, all WindowsXP is doing is providing an easier interface to the
>users who would benefit from it since any admin user can do it anyways the
>hard way (or should I say the easy way with 3rd party drivers), why not
>provide an easy way so that the legitimate users can benefit?
>
>-- Sean
>
>At 07:22 AM 11/26/2001 -0800, you wrote:
> >At 12:51 AM 11/26/2001, you wrote:
> >>The ability to spoof IP addresses has been there all along as long as
> >>the pirate was willing to include his own library (for the record,
> >
> >    Oh?  My understanding was that until now, "Winblows" did not allow
you
> > to construct your own TCP/IP packets, so therefore could not be used to
> > spoof IP addresses.
> >
> >
> >>winpcap is an open source device driver that will allow you both to
> >>sniff all packet reaching the NICs
> >
> >    I see the winpcap homepage, but I had always thought that a key step
> > in sniffing was a hardware issue: having to set the NIC card to
> > "promiscuous mode" (sp?) in order for it to pass to the OS all packets
it
> > receives (as opposed to just those addressed to it and dropping
> > everything else).
> >
> >
> >>  In addition, one must add the win2k also had this
> >>ability for quite some time.
> >
> >    One would hope that a corporate machine with win2k would have
> > sufficient protection to keep it from becoming a zombie, and that the
> > high price of W2K would keep it out of the hands of most
> > script-kiddies.  (One would *hope*, anyway.)
> >
> >
> >>No, hackers don't use spoofing, not because it's not available but
> >>because it uses illegal packets and, as such, are easy to detect and
> >>filter at the source with simple router rules, cutting the efficiency
> >>of the attack.
> >
> >    Yes, but how many systems have been discussed on this very list that
> > _don't_ use "simple router rules"?  No internet router should carry
> > 192.168.0.1, but there are plenty that do.  (I like that one guy who
> > added his company's assigned IP range to the list of packets to be
> > dropped if they're discovered coming in from the outside world--now
> > that's thinking!)
> >
> >
> >>1/ Any NAT device will solve the problem. (as long as it's not the
> >>cause of the problem).
> >
> >    See previous comment.
> >
> >
> >>2/ Almost all routers can be easily configured to perform egress
> >>filtering (see http://www.sans.org/infosecFAQ/firewall/egress.htm).
> >
> >    See previous comment.
> >
> >
> >>3/ This is something that should be do on the first hop router. If
> >>you're concerned enough by this problem to look for gateway
> >>protection, you're very unlikely to be affected. Filtering on the
> >>first hop router would allow the ISPs to immediately find dangerous
> >>systems and shut them down.
> >
> >    See previous comment.
> >
> >
> >>As for the consumer, there are a variety of gateway firewall that will
> >>detect that
> >
> >[snip]
> >
> >>Finally, for the standalone user, a local firewall/IDS can probably
> >>detect outgoing spoofed packets. But again, if you have a local
> >>firewall, you're not likely to have been hacked ;)
> >
> >    You just made my point for me: Windows is hard enough to keep secure
> > when you know what you're doing.  (If it weren't, we wouldn't have a
> > worm-of-the-week that can take over PowerPoint.)  For the average user,
> > who knows nothing, it's just a matter of time before they get trojaned
> > and their machine becomes a zombie.  If my understanding is
correct--that
> > under previous Windows versions you couldn't construct your own IP
> > packets--that means that floods could at least be traced back to zombie
> > systems.  With XP, they can't be.
> >
> >
> >-Neil R.
> >--
> >Supreme Lord High Commander and Keeper of the Holy Potato
> >----------
> >Random thought for the day:
> >
> >    Let's do it write, uh, rite, uh, oh heck, just do it!
> >
> >_______________________________________________
> >Dshield mailing list
> >Dshield at dshield.org
> >To change your subscription options (or unsubscribe), see:
> >http://www1.dshield.org/mailman/listinfo/dshield
>
>
>_________________________________________________________
>Do You Yahoo!?
>Get your free @yahoo.com address at http://mail.yahoo.com
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see:
>http://www1.dshield.org/mailman/listinfo/dshield
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www1.dshield.org/mailman/listinfo/dshield


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list