lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <63D883CB0A1B204EB053673DD882CB53036298D0@email.albany.edu>
From: JAzoff at uamail.albany.edu (Justin Azoff)
Subject: SP2 and NMAP

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Mike Nice
> Sent: Friday, August 13, 2004 10:17 AM
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] SP2 and NMAP
> 
> 
> > If you read the above Microsoft doc you will see that they have not 
> > "disabled raw packets" but disabled commonly abused types of raw 
> > packet.
> 
>    While most of XP SP2 properly addresses the real issues - 
> how to keep the bad guys out, part of SP2 is a feeble attempt 
> to mitigate the effects of
> malware after it has arrived.    Re: outbound rate connection queue
> limiting - Even without raw sockets, it is trivial to fill 
> the pipe with TCP Syn's to one or more addresses, albeit with 
> a real source IP.  (Note to MS: by the time malware has ben 
> installed, it's too late; the horse is already out of the barn!)
> 
>   Since the GRC.com attack 2 years ago, even average ISPs put 
> filters in place to prevent IP address spoofing.  I saw one 
> piece of windows malware about 2 years ago that used spoofed 
> source IPs, but none recently.

Agobot/phatbot does, have a look at this packet capture :

:hotwheels!booger@...t.admins.net PRIVMSG #agbot :.tcpflood syn
xxx.xxx.xxx.xxx 80 120 -r

PRIVMSG #agbot :[TCP]: Spoofed syn flooding: (xxx.xxx.xxx.xxx:80) for 120
seconds.
PRIVMSG #agbot :[TCP]: Done with syn flood to IP: xxx.xxx.xxx.xxx. Sent:
1415523 packet(s) @ 691KB/sec (80MB).


-- 
- Justin 
- Network Performance Analyst

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ