RE: [Full-Disclosure] SP2 and NMAP

From: Justin Azoff (
Date: 08/13/04

  • Next message: Matthew Simmiss: "Re: [Full-Disclosure] lame bitching about xpsp2"
    To: "'Mike Nice'" <>,
    Date: Fri, 13 Aug 2004 13:29:37 -0400

    > -----Original Message-----
    > From:
    > [] On Behalf Of Mike Nice
    > Sent: Friday, August 13, 2004 10:17 AM
    > To:
    > Subject: Re: [Full-Disclosure] SP2 and NMAP
    > > If you read the above Microsoft doc you will see that they have not
    > > "disabled raw packets" but disabled commonly abused types of raw
    > > packet.
    > While most of XP SP2 properly addresses the real issues -
    > how to keep the bad guys out, part of SP2 is a feeble attempt
    > to mitigate the effects of
    > malware after it has arrived. Re: outbound rate connection queue
    > limiting - Even without raw sockets, it is trivial to fill
    > the pipe with TCP Syn's to one or more addresses, albeit with
    > a real source IP. (Note to MS: by the time malware has ben
    > installed, it's too late; the horse is already out of the barn!)
    > Since the attack 2 years ago, even average ISPs put
    > filters in place to prevent IP address spoofing. I saw one
    > piece of windows malware about 2 years ago that used spoofed
    > source IPs, but none recently.

    Agobot/phatbot does, have a look at this packet capture :

    :hotwheels! PRIVMSG #agbot :.tcpflood syn 80 120 -r

    PRIVMSG #agbot :[TCP]: Spoofed syn flooding: ( for 120
    PRIVMSG #agbot :[TCP]: Done with syn flood to IP: Sent:
    1415523 packet(s) @ 691KB/sec (80MB).

    - Justin 
    - Network Performance Analyst
    Full-Disclosure - We believe in it.

  • Next message: Matthew Simmiss: "Re: [Full-Disclosure] lame bitching about xpsp2"