> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mike Nice > Sent: Friday, August 13, 2004 10:17 AM > To: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] SP2 and NMAP > > > > If you read the above Microsoft doc you will see that they have not > > "disabled raw packets" but disabled commonly abused types of raw > > packet. > > While most of XP SP2 properly addresses the real issues - > how to keep the bad guys out, part of SP2 is a feeble attempt > to mitigate the effects of > malware after it has arrived. Re: outbound rate connection queue > limiting - Even without raw sockets, it is trivial to fill > the pipe with TCP Syn's to one or more addresses, albeit with > a real source IP. (Note to MS: by the time malware has ben > installed, it's too late; the horse is already out of the barn!) > > Since the GRC.com attack 2 years ago, even average ISPs put > filters in place to prevent IP address spoofing. I saw one > piece of windows malware about 2 years ago that used spoofed > source IPs, but none recently.
Agobot/phatbot does, have a look at this packet capture : :[EMAIL PROTECTED] PRIVMSG #agbot :.tcpflood syn xxx.xxx.xxx.xxx 80 120 -r PRIVMSG #agbot :[TCP]: Spoofed syn flooding: (xxx.xxx.xxx.xxx:80) for 120 seconds. PRIVMSG #agbot :[TCP]: Done with syn flood to IP: xxx.xxx.xxx.xxx. Sent: 1415523 packet(s) @ 691KB/sec (80MB). -- - Justin - Network Performance Analyst _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
