RE: DDoS to microsoft sites (? avenues of attack!)

From: Eaton, Arthur (AEaton@FDIC.gov)
Date: 01/31/02


From: "Eaton, Arthur" <AEaton@FDIC.gov>
To: "Adcock, Matt" <Matt.Adcock@gsccca.org>
Date: Thu, 31 Jan 2002 16:08:56 -0500

See bottom for response to Matt Adcock...
>
> On 30 Jan 2002 at 12:47, Adcock, Matt <Matt.Adcock@gsccca.org> wrote
> (in response to 'Bronek Kozicki' <brok@rubikon.pl>):
>
  [Snippet quotes-]
>
> [1] According to your logic, the only way to make a secure machine is to
> shut everything off. That's absolutely ridiculous.
>
> [2] I'd really like for you to explain to me how a Windows network will
> run without NetBIOS. Try shutting it down sometime - you'll break your
> Windows network, even 2000.
>
> [3] I'd also like for you to explain to me how you can brute force attack
> admin accounts just because NetBIOS is open.
>
> Matt
>

[1] Matt, there is one other way to make a machine *totally* secure:
   (a) Disconnect it from all networks,
   (b) Remove any & all wireless components,
   (c) Wrap it in 3 layers of aluminum foil (cheap Tempest), and
   (d) Either lock yourself in the computer room for life, or seal
       the computer in concrete or thermoplastic (your choice).

    Seriously, we cannot eliminate risk and continue to communicate.
    The best we can do with risk is to manage it.

[2] DHCP and D(ynamic)DNS (Cisco or other). It's been done for years.
    TCP/IP works fine in a LAN and you can remove all other protocols.
    It also limits sniffing with a single sniffer to a single segment.
    (Well, OK, so it gives fits to network-type IDS software vendors.)

[3] For one thing, Matt, you can't set up a firewall to block unknown
    NetBIOS (MAC) names, but you can set a firewall or router to block
    unknown or known IP address ranges and known domain names. Also,
    check out Hacking Exposed, Secrets & Lies, etc.

Jason Robertson, in his earlier message to you, is absolutely right --
firewalls are not the be-all and end-all of security, for the primary
reason that this business is the most rapidly changing of any human
endeavor in the world: What was true yesterday may be false tomorrow.

The more defenses we have at our disposal, the more likely we will be
able to adapt one quickly to a new kind of threat. This was once more
demonstrated just recently at FDIC, when we were able to quickly block
the MyParty virus/worm at our domain gateway long before the new virus
definitions were available from our vendor.

James Butler Hickock used only one pistol at a time, but he wore two -
just in case - and had a shotgun available when things got shaky. So
arm yourself and your LANs, Matt!

Arthur Eaton
FDIC-CSIRT

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Workgroup Not Accessible
    ... >> OK, Matt. ... >> advertisements from the FearInHell master browser, including ShitDemon. ... >> Shitdemon has either a personal firewall problem, or an LSP / Winsock problem. ...
    (microsoft.public.windowsxp.network_web)
  • Re: The specified network name is nolonger available
    ... Matt, I was asking WHERE I should use IP adress instead of a name. ... How do I fix a corrupted netbios name cache? ... > of you broadcast domain or netbios name cache is corrupt. ...
    (microsoft.public.win2000.networking)
  • Re: VPN Help
    ... "Matt S" schreef in bericht ... The firewall is a Firebox SOHO, ... > opened up port 1723 and forwarded it to the server. ... If we try to connect to the vpn on the internal network, ...
    (microsoft.public.windows.server.sbs)
  • RE: network path not found
    ... There are shares setup on computer A, B and C. Computers A, B and C can get ... I've turned the firewall off and gone over the DNS ... using the "net use" command with multiple user accounts. ... Matt Vogt ...
    (microsoft.public.windowsxp.network_web)
  • Re: SBS and Hardware VPN
    ... > Matt Gibson - GSEC ... >>> Have you applied the latest Firmware to the Hardware Routers? ... >>> Are you also able to ping via Netbios name as well as IP? ...
    (microsoft.public.windows.server.sbs)