----- Original Message -----
From: "Karl J. Runge" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 06, 2001 3:08 PM
Subject: Re: grc.com Ddos analysis
> On Fri, 6 Jul 2001, "Rich Cloutier" <[EMAIL PROTECTED]> wrote:
> > ...
> > I have been following this for some time now. The reason a Linux machine
on
> > a cable modem is so desireable to these hackers is exactly that: The
Linux
> > machine can spoof its source IP address, thus hiding its identity from
the
> > attacked site's admin, and, more importantly, from the ISP.
> >
> > Windows 9x machines are not cabable of this. But apparently XP machines
are,
> > and Gibson fears that millions of untrained users with XP and Outlook to
> > propagate viruses with the trojans in them will bring chaos to the
internet.
>
> Yes. More correctly it is that *un-altered* Win9* and WinNT systems
> cannot spoof the source addresses. "3rd party" tcp/ip Windows drivers can
> be installed that enable source address spoofing.
Yes, but that is not practical in a trojan setup, since modifying windows
system files can be undone with the system file checker, version conflict
manager or other such verification tool. Also, changing files like this
usually requires a reboot before anything else happens, since the DLLs can
get out of sync and can cause a system crash.
>
> Actually with all of the Windows trojans floating around I'm surprised
that
> someone hasn't written a kit that alters the system to allow spoofing,
> since it is so advantageous in ddos attacks...
And I am also surprised that the Linux "root kits" that are around don't
also include tools to spoof source IPs. Or maybe they do and the kiddies
don't know how to use them? Otherwise, how would the ISPs find the offending
machines and shut them off? (I must be missing something here.)
>
> Would these changes be confined to WINSOCK.DLL or does the Windows
> kernel need to be "patched" to do this? It seems even a NIC driver
> could be hacked to do this...
>
> Karl
>
Rich Cloutier
SYSTEM SUPPORT SERVICES
www.sysupport.com
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
