[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] SP2 and NMAP

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] SP2 and NMAP
From: "Mike Nice" <niceman@xxxxxxx>
Date: Fri, 13 Aug 2004 10:16:34 -0400

> If you read the above Microsoft doc you will see that they have not
> "disabled raw packets" but disabled commonly abused types of raw
> packet.

   While most of XP SP2 properly addresses the real issues - how to keep the
bad guys out, part of SP2 is a feeble attempt to mitigate the effects of
malware after it has arrived.    Re: outbound rate connection queue
limiting - Even without raw sockets, it is trivial to fill the pipe with TCP
Syn's to one or more addresses, albeit with a real source IP.  (Note to MS:
by the time malware has ben installed, it's too late; the horse is already
out of the barn!)

  Since the GRC.com attack 2 years ago, even average ISPs put filters in
place to prevent IP address spoofing.  I saw one piece of windows malware
about 2 years ago that used spoofed source IPs, but none recently.

Re: no TCP outbound raw sockets; this disables functionality like Win32
TCPtraceroute.  Sometimes that is the only way to track network connectivity
issues.   As you note, the only solution is to run a system other than XP
SP2.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] SP2 and NMAP
  - From: PJ
- Re: [Full-Disclosure] SP2 and NMAP
  - From: James Tucker

Prev by Date: [Full-Disclosure] Advanced usage of system() function.
Next by Date: [Full-Disclosure] Re: YAPPS...
Previous by thread: Re: [Full-Disclosure] SP2 and NMAP
Next by thread: RE: [Full-Disclosure] SP2 and NMAP
Index(es):
- Date
- Thread