At 02:37 PM 6/23/01, Tim Wilde wrote:
This is a real problem. It's not FUD. Microsofts choice to include full IP stack capabilities will make the problem worse, but I do not blame their IP stack for this like Mr Gibson does though.
Oh, it's most certainly a real problem, but I don't agree that the changes in Win XP will really make any difference whatsoever. With some very trivial driver additions, raw sockets can be accessed under any previous version of Windows, just like in XP.
Indeed, there have been LAN analyzers which run on all variants of Windows for a very long time. These can generate / play back traffic, using whatever source IP addresses and MAC addresses were on the original packets. Obviously, a general spoofing tool for Win95 could be written. After reading that part of the tirade, I came to the same conclusion as a previous poster... lots of FUD, and not much more. It's been 5 years since the document now published as RFC 2827 was first a draft. Many sites do ingress or egress filtering. Many don't. Most router equipment can now handle it, according to the manufacturers. Yes, there are issues dealing with multi-homing. However, it appears many attacks still originate from single homed sites, dialup sites, cable modem attached systems, and the like. In most cases, these could be filtered. Has anyone at any of the cable modem vendors made any attempts to try ingress filtering in the cable system head-end routers? Did it work? Need help trying it out? While Ingress filtering will not cure the world, it can help de-fang many attacks. Unfortunately, it requires cooperation to be effective. ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
[ On Saturday, June 23, 2001 at 15:13:34 (-0400), Daniel Senie wrote: ]
Subject: RE: DDOS anecdotes
.... Has anyone at any of the cable modem vendors made any attempts to try ingress filtering in the cable system head-end routers?
If I'm not mistaken Rogers@Home is blocking spoofed source addresses on at least part of their network here in Toronto. At least the last time my home network's routing and NAT configuration broke down I noted that asymmetrical routing over my cable modem didn't work any more (where it used to work in the past). My particular cable modem is a Terayon TeraJet. I believe Rogers have implemented their filtering in the head-end gear, but maybe not directly in the Terayon gateway box (and definitely not in the Teralinks). The gateway box can do some filtering IIRC, but is't not really much of a powerhouse for such "add-on" functionality. I'd guess that they've actually implemented the filters in whatever routers they use to join their network segments. One of the smaller cable ISPs I work with hasn't yet implemented anti-spoof filtering, though it's definitely on the todo list. They've not had any known problem with DDoS that I know of though (just "owned" boxes initiating the odd scan). Of course they've still got a very small (but growing) customer base.
Did it work?
I don't know if it's helped Rogers@Home prevent/reduce DDoS from their network or not, but it certainly pointed out my configuration problem quickly! ;-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
Obviously, a general spoofing tool for Win95 could be written. After reading that part of the tirade, I came to the same conclusion as a
Daniel previous poster... lots of FUD, and not much more.<< I'm having a hard time understanding this. Wouldn't it be easier/simpler for these crackers to just install their bots on, oh say, 20 million machines running XP than the crackers having to deal with installing the bot -and- the code to do the spoofing on Win95/98/98SE/98ME? Michael Painter ----- Original Message ----- From: "Daniel Senie" <dts@senie.com> To: "Tim Wilde" <twilde@dyndns.org> Cc: <nanog@merit.edu> Sent: Saturday, June 23, 2001 9:13 AM Subject: RE: DDOS anecdotes
At 02:37 PM 6/23/01, Tim Wilde wrote:
This is a real problem. It's not FUD. Microsofts choice to include full IP stack capabilities will make the problem worse, but I do not blame their IP stack for this like Mr Gibson does though.
Oh, it's most certainly a real problem, but I don't agree that the changes in Win XP will really make any difference whatsoever. With some very trivial driver additions, raw sockets can be accessed under any previous version of Windows, just like in XP.
Indeed, there have been LAN analyzers which run on all variants of Windows for a very long time. These can generate / play back traffic, using whatever source IP addresses and MAC addresses were on the original packets. Obviously, a general spoofing tool for Win95 could be written. After reading that part of the tirade, I came to the same conclusion as a previous poster... lots of FUD, and not much more.
It's been 5 years since the document now published as RFC 2827 was first a draft. Many sites do ingress or egress filtering. Many don't. Most router equipment can now handle it, according to the manufacturers. Yes, there are issues dealing with multi-homing. However, it appears many attacks still originate from single homed sites, dialup sites, cable modem attached systems, and the like. In most cases, these could be filtered. Has anyone at any of the cable modem vendors made any attempts to try ingress filtering in the cable system head-end routers? Did it work? Need help trying it out? While Ingress filtering will not cure the world, it can help de-fang many attacks. Unfortunately, it requires cooperation to be effective.
----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
I'm having a hard time understanding this. Wouldn't it be easier/simpler for these crackers to just install their bots on, oh say, 20 million machines running XP than the crackers having to deal with installing the bot -and- the code to do the spoofing on Win95/98/98SE/98ME? As I understand it, the spoofing code is already available as a drop-in DLL - ZPacket. For an example of a low-level packet sniffer written in Delphi (using that
"Michael Painter" <tvhawaii@shaka.com> wrote: library) and a link to the source of the library itself, see: http://users.swing.be/francois.piette/ingussniffer.htm
* David Howe sez: : As I understand it, the spoofing code is already available as a : drop-in DLL - ZPacket. winpcap has no problems installing itself, hiding itself and functioning properly without needing a reboot or keystrokes. Whoever is clueful enough to write a small trojan (and you don't need much clue for that), will know how to have that trojan fetch winpcap from the 'net and how to install it. If the dropin refuses to work without a reboot, the trojan could simulate a crash and force the luser to reboot - Windozies don't get suspicious if their machine hangs every once in a while. Gibson knows that - a lot of people told him. He just refuses to understand. He's simply a case of dangerously inflated ego combined with lack of basic clue and way too good in bullshitting his way around.
participants (5)
-
Daniel Senie
-
David Howe
-
Jonas Luster
-
Michael Painter
-
woods@weird.com