[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] SP2 and NMAP
- To: "'Mike Nice'" <niceman@xxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxx
- Subject: RE: [Full-Disclosure] SP2 and NMAP
- From: Justin Azoff <JAzoff@xxxxxxxxxxxxxxxxx>
- Date: Fri, 13 Aug 2004 13:29:37 -0400
> -----Original Message-----
> From: full-disclosure-admin@xxxxxxxxxxxxxxxx
> [mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On Behalf Of Mike Nice
> Sent: Friday, August 13, 2004 10:17 AM
> To: full-disclosure@xxxxxxxxxxxxxxxx
> Subject: Re: [Full-Disclosure] SP2 and NMAP
>
>
> > If you read the above Microsoft doc you will see that they have not
> > "disabled raw packets" but disabled commonly abused types of raw
> > packet.
>
> While most of XP SP2 properly addresses the real issues -
> how to keep the bad guys out, part of SP2 is a feeble attempt
> to mitigate the effects of
> malware after it has arrived. Re: outbound rate connection queue
> limiting - Even without raw sockets, it is trivial to fill
> the pipe with TCP Syn's to one or more addresses, albeit with
> a real source IP. (Note to MS: by the time malware has ben
> installed, it's too late; the horse is already out of the barn!)
>
> Since the GRC.com attack 2 years ago, even average ISPs put
> filters in place to prevent IP address spoofing. I saw one
> piece of windows malware about 2 years ago that used spoofed
> source IPs, but none recently.
Agobot/phatbot does, have a look at this packet capture :
:hotwheels!booger@xxxxxxxxxxxxxxx PRIVMSG #agbot :.tcpflood syn
xxx.xxx.xxx.xxx 80 120 -r
PRIVMSG #agbot :[TCP]: Spoofed syn flooding: (xxx.xxx.xxx.xxx:80) for 120
seconds.
PRIVMSG #agbot :[TCP]: Done with syn flood to IP: xxx.xxx.xxx.xxx. Sent:
1415523 packet(s) @ 691KB/sec (80MB).
--
- Justin
- Network Performance Analyst
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html