RE: SP2 and NMAP

[Justin Azoff <JAzoff () uamail albany edu>]

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Mike Nice
> Sent: Friday, August 13, 2004 10:17 AM
> To: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] SP2 and NMAP
>
>
> > If you read the above Microsoft doc you will see that they have not 
> > "disabled raw packets" but disabled commonly abused types of raw 
> > packet.
>
>    While most of XP SP2 properly addresses the real issues - 
> how to keep the bad guys out, part of SP2 is a feeble attempt 
> to mitigate the effects of
> malware after it has arrived.    Re: outbound rate connection queue
> limiting - Even without raw sockets, it is trivial to fill 
> the pipe with TCP Syn's to one or more addresses, albeit with 
> a real source IP.  (Note to MS: by the time malware has ben 
> installed, it's too late; the horse is already out of the barn!)
>
>   Since the GRC.com attack 2 years ago, even average ISPs put 
> filters in place to prevent IP address spoofing.  I saw one 
> piece of windows malware about 2 years ago that used spoofed 
> source IPs, but none recently.

Agobot/phatbot does, have a look at this packet capture :

:hotwheels!booger () leet admins net PRIVMSG #agbot :.tcpflood syn
xxx.xxx.xxx.xxx 80 120 -r

PRIVMSG #agbot :[TCP]: Spoofed syn flooding: (xxx.xxx.xxx.xxx:80) for 120
seconds.
PRIVMSG #agbot :[TCP]: Done with syn flood to IP: xxx.xxx.xxx.xxx. Sent:
1415523 packet(s) @ 691KB/sec (80MB).


-- 
- Justin 
- Network Performance Analyst

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html