Re: keep getting DCOM intrusions

From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 11/13/03 

Date: Thu, 13 Nov 2003 07:01:59 -0500

Bill:

Of all people -- I hate to disagree w/you but you are NOT correct and here is why....

Let's first look at ICS, to use it we have to install ICS on a PC. That PC will need two
NICs where one is connected to the ISP and the other is connected to a hub (or via a x-over
cable to another PC). Right off the bat, the PC with ICS has one NIC directly exposed to
the Internet and if that PC is a NT PC that has not been patched, it is exposed to RPCDcom
exploitation. The PC has much overhead in that it has to have ICS loaded and has to
provided services for two NICs. If the ISP is like Verizon DSL in former BellAtlantic
territories than the PC with ICS will also need to have a PPPoE encapsulator. This could be
RASPPPoE or WinPOET but that software will consume additional resources on the ICS PC. Plus
that ICS PC will need its NIC connected to the WAN MTU set to 1492.

With a Cable/DSL Router the LAN PCs are not exposed to the Internet as the Router sits
between the WAN and the LAN. The Cable Router does not suffer from RPCDcom exploits. The
LAN PCs are not encumbered in that no additional software is needed (ICS and PPPoE) and only
one NIC is required in all LAN platforms. If the WAN connector is DSL that requires PPPoE
then the Router will perform PPPoE and only the Router WAN port would need the MTU set to
1492. All the LAN platforms can remain at the standard MTU=1500.

So the use of ICS and a Cable/DSL Router do not compare as they are completely different in
that the use of a separate piece of equipement offloads the functionalities to that equipt.
The Win32 platforms are not exposed to the Internet.

As for uPnP, TCP port 5000, it is present on the LAN side of the Router not the WAN side of
the Router. This will protect WinXP and WinME platforms from some form of uPnP attack.
BTW: Is Win2003 Server also uPnP compliant ?

If need be -- I'll pick this up again later in the AM....

Dave

"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
news:%231Xz$KaqDHA.2536@tk2msftngp13.phx.gbl...
| Nah--your description of what a router does is precisely what ICS does--the
| functionality is nearly identical. I don't disagree that a router has
| advantages, but unless it is UPnP compliant, it may also have disadvantages.
|
|
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:Ona2HKVqDHA.4004@TK2MSFTNGP11.phx.gbl...
| > First off you have this problem because you are using ICS to share your
| DSL. This is a
| > mistake. You should get a DSL/Cable Router. It will allow you to share
| the one ISP IP
| > address amongst upto 253 TCP/IP compliant platforms and/or devices. It
| will also provide,
| > through DHCP, local addresses to all LAN workstations. Most importantly
| it acts as a
| > simplistic FireWall that will protect TCP port 135 from the
| Blaster/Lovesan worm which
| > exploits the RPC/RPCSS Buffer Overflow Vulnerability that WinXP,
| unpatched, has.
| >
| > You also need to patch your WinXP with all the MS Critical Updates, most
| importantly
| > KB824146 which is the patch to plug the RPC/RPCSS Buffer Overflow
| vulnerability.
| >
| > Dave
| >
| >
| >
| >
| > "Tomer" <tomerfink@hotmail.com> wrote in message
| > news:026901c3a94d$310b35a0$a301280a@phx.gbl...
| > | Hey all,
| > | This is really strange.
| > | 1) I have a svchost service that fills up my virtual memory
| > | (it gets up to 120MB!) once I kill it I can't go on the
| > | internet!
| > | 2) I use Norton Internet Security and I keep getting every
| > | 5 minutes a DCOM_Bufferoverflow security alert, which
| > | is very annoying and keeps me from using my internet
| > | conenction properly.
| > | 3) I have a small home network and the computers can see
| > | each other and even download files, but for some reason
| > | suddenly my internet connection is not shared anymore
| > | (eventhough every station can see the shared connection).
| > | I didn't touch anything in the firewall configuration.
| > |
| > | I have two XP pro. satations, and one 98SE, an ADSL
| > | connection with ICS turned on.
| > |
| > |
| > | What the hell is going on?
| > | Thanks,
| > | Tomer Fink,
| >
| >
|
|

Relevant Pages

  • Re: ICS on small home network no longer works for http traffic
    ... 1) If you're using MS ICS or Windows ... After installed a new router or cable modem replacing dial-up to access ... the Internet, you can't access some web sites. ... The client PC can ping to a outside IP, or a name and DNS> resolves the name ok. ...
    (microsoft.public.windowsxp.network_web)
  • Re: NAT on SBS2003 not working
    ... internet through an ADSL modem/router ... modem/router LAN IP 192.168.2.something/255.255.255.0 (please confirm the ... you need to change this and as you have the router available I suggest you ... > there are three methods of sharing the connection: ICS, ...
    (microsoft.public.windows.server.sbs)
  • Re: Change wireless configuration
    ... I have them set up for ICS over a Wireless system, set up in what I think ... ICS is a MS term. ... It allows one computer to share its Internet connection with other computers in a LAN situation. ... to the Wireless Router, the XP Pro PC is connected to the Router by a ...
    (alt.internet.wireless)
  • Re: keep getting DCOM intrusions
    ... The following was the response to the query "Is Win2003 uPnP compliant ?".... ... | Let's first look at ICS, to use it we have to install ICS on a PC. ... | With a Cable/DSL Router the LAN PCs are not exposed to the Internet as the Router sits ... | between the WAN and the LAN. ...
    (microsoft.public.security.virus)
  • Re: How do I setup ICS with dialup and wireless router?
    ... > How do I setup ICS with dialup and wireless router? ... > connection to DI-524 router. ... > There is NO DSL, Cable Modem, or other Internet connection. ...
    (microsoft.public.windowsxp.network_web)