RE: [Full-Disclosure] SP2 and NMAP

From: Justin Azoff (JAzoff_at_uamail.albany.edu)
Date: 08/13/04

  • Next message: Matthew Simmiss: "Re: [Full-Disclosure] lame bitching about xpsp2"
    To: "'Mike Nice'" <niceman@att.net>, full-disclosure@lists.netsys.com
    Date: Fri, 13 Aug 2004 13:29:37 -0400
    
    

    > -----Original Message-----
    > From: full-disclosure-admin@lists.netsys.com
    > [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Mike Nice
    > Sent: Friday, August 13, 2004 10:17 AM
    > To: full-disclosure@lists.netsys.com
    > Subject: Re: [Full-Disclosure] SP2 and NMAP
    >
    >
    > > If you read the above Microsoft doc you will see that they have not
    > > "disabled raw packets" but disabled commonly abused types of raw
    > > packet.
    >
    > While most of XP SP2 properly addresses the real issues -
    > how to keep the bad guys out, part of SP2 is a feeble attempt
    > to mitigate the effects of
    > malware after it has arrived. Re: outbound rate connection queue
    > limiting - Even without raw sockets, it is trivial to fill
    > the pipe with TCP Syn's to one or more addresses, albeit with
    > a real source IP. (Note to MS: by the time malware has ben
    > installed, it's too late; the horse is already out of the barn!)
    >
    > Since the GRC.com attack 2 years ago, even average ISPs put
    > filters in place to prevent IP address spoofing. I saw one
    > piece of windows malware about 2 years ago that used spoofed
    > source IPs, but none recently.

    Agobot/phatbot does, have a look at this packet capture :

    :hotwheels!booger@leet.admins.net PRIVMSG #agbot :.tcpflood syn
    xxx.xxx.xxx.xxx 80 120 -r

    PRIVMSG #agbot :[TCP]: Spoofed syn flooding: (xxx.xxx.xxx.xxx:80) for 120
    seconds.
    PRIVMSG #agbot :[TCP]: Done with syn flood to IP: xxx.xxx.xxx.xxx. Sent:
    1415523 packet(s) @ 691KB/sec (80MB).

    -- 
    - Justin 
    - Network Performance Analyst
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Matthew Simmiss: "Re: [Full-Disclosure] lame bitching about xpsp2"