| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: JAzoff at uamail.albany.edu (Justin Azoff) Subject: SP2 and NMAP > -----Original Message----- > From: full-disclosure-admin@...ts.netsys.com > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Mike Nice > Sent: Friday, August 13, 2004 10:17 AM > To: full-disclosure@...ts.netsys.com > Subject: Re: [Full-Disclosure] SP2 and NMAP > > > > If you read the above Microsoft doc you will see that they have not > > "disabled raw packets" but disabled commonly abused types of raw > > packet. > > While most of XP SP2 properly addresses the real issues - > how to keep the bad guys out, part of SP2 is a feeble attempt > to mitigate the effects of > malware after it has arrived. Re: outbound rate connection queue > limiting - Even without raw sockets, it is trivial to fill > the pipe with TCP Syn's to one or more addresses, albeit with > a real source IP. (Note to MS: by the time malware has ben > installed, it's too late; the horse is already out of the barn!) > > Since the GRC.com attack 2 years ago, even average ISPs put > filters in place to prevent IP address spoofing. I saw one > piece of windows malware about 2 years ago that used spoofed > source IPs, but none recently. Agobot/phatbot does, have a look at this packet capture : :hotwheels!booger@...t.admins.net PRIVMSG #agbot :.tcpflood syn xxx.xxx.xxx.xxx 80 120 -r PRIVMSG #agbot :[TCP]: Spoofed syn flooding: (xxx.xxx.xxx.xxx:80) for 120 seconds. PRIVMSG #agbot :[TCP]: Done with syn flood to IP: xxx.xxx.xxx.xxx. Sent: 1415523 packet(s) @ 691KB/sec (80MB). -- - Justin - Network Performance Analyst
Powered by blists - more mailing lists