----- Original Message -----
From: "Derek Martin" <[EMAIL PROTECTED]>
To: "Rich C" <[EMAIL PROTECTED]>
Cc: "GNHLUG mailing list" <[EMAIL PROTECTED]>
Sent: Friday, July 06, 2001 6:03 PM
Subject: Re: grc.com Ddos analysis
> On Fri, Jul 06, 2001 at 04:35:05PM -0400, Rich C wrote:
>
> > Yes, but that is not practical in a trojan setup, since modifying
windows
> > system files can be undone with the system file checker, version
conflict
> > manager or other such verification tool.
>
> ...assuming you're aware of such tools AND care to dedicate the time
> to installing them. The vast majority of Home users are neither.
> Your checker might foil the script kiddies, but they'll still succeed
> more often than they won't.
>
> > Also, changing files like this usually requires a reboot before
> > anything else happens, since the DLLs can get out of sync and can
> > cause a system crash.
>
> Which is par for the course on a windows machine. And many, if not
> most home users boot their machine each time they want to use it. In
> all likelihood, your script kiddie will need to wait at most a day
> before they reap the fruits of someone else's labor... All in all,
> this really isn't a big problem for your attacker. Maybe YOU have a
> machine well enough protected to foil their automated attacks, but for
> every one of you there are a hundred home users that don't.
Which brings me back to my original question, why aren't patches to enable
source IP spoofing included in with more trojans like sub7server and other
bots? Their purpose is solely for DDOS attacks, so IP spoofing is
desireable. It can't be that trivial or it would be done more.
>
> Moral? Be the one, not the hundred. Remember, most of the exploits
> that are in use today work against vulnerabilities that have been
> reported quite some time ago -- often two years ago or more! The
> reason they're successful is not because there is no cure for them,
> but because people don't make use of said cure...
>
>
> >> Actually with all of the Windows trojans floating around I'm
> >> surprised that someone hasn't written a kit that alters the system
> >> to allow spoofing, since it is so advantageous in ddos attacks...
> >
> > And I am also surprised that the Linux "root kits" that are around don't
> > also include tools to spoof source IPs. Or maybe they do and the kiddies
> > don't know how to use them? Otherwise, how would the ISPs find the
offending
> > machines and shut them off? (I must be missing something here.)
>
> IP spoofing is HARD. At least, it is if you want to get something
> BACK. It works great for DoS attacks,
...which is exactly what zombied machines are used for. You want your army
of zombies to lie undetected, waiting for you to command them to attack. And
when they do, you DON'T want the users' ISP to find them.
> because usually the source
> machine doesn't care about return traffic (or more accurately,
> specifically doesn't want it). It's not quite so easy to pull off a
> spoofing attack from multiple hops away if you need the return
> traffic... it simply won't get to you. It used to be a lot easier
> before people started configuring routers and firewalls to drop source
> routed packets, and it's still not impossible, but it's pretty tough.
> Probably requires subversion of (at least) one upstream router, to
> help control where the packets go or to do NAT (or maybe both). And
> you have to worry about asymmetric routing... But in any case, it's a
> much more complicated hack.
Most zombied machines "dial out" anyway. The malicious hacker doesn't even
have to contact them. He simply logs onto an IRC channel and picks up the
passwords, credit card numbers, or whatever else he wants to steal.
>
>
> One of the more interesting questions, I think, is this: What happens
> when the hundred catch on to what the one is doing, and all start
> follwing suit? Or, said another way, what happens if the average home
> user starts practicing the same methodologies for protecting systems that
> the security-conscious users practice?
>
> If that ever happens, then suddenly all the machines on the 'net
> require the same investment in knowledge and time to break into
> (barring a further increase in dilligence on the part of the
> previously security conscious user -- there's only so much time in a
> day, and no one wants to spend the whole of it watching system
> security). Let's assume that the old network security tennet is true:
> No system is unbreakable. It's only a question of time and skill
> required to break a given system.
>
> So, if all the systems are equally hard, but hard nonetheless, to
> break into, will the attacks stop at that point? History suggests
> that they won't. More likely, the attackers will raise the level of
> their attacks, to account for the security measures that are in common
> use. Now, suddenly, you've got to be even MORE dilligent to keep your
> system from being broken into. The attackers work in concert, in a
> way, and they're persistent, so ultimately they WILL win... They'll
> find a way to get into a bunch of systems.
>
> In reality though, I think the security concious user is safe, because
> the average user probably will never take the time to worry about the
> threats that they face in connecting to the Internet. It just isn't
> meaningful to most people... And maybe, if my conclusions above are
> correct, maybe that's best for those of us who really do want to
> protect our data.
That's comforting--knowing that the reason we are not targeted more than we
are is simply because there are bigger (stupider) fish out there.
Rich Cloutier
SYSTEM SUPPORT SERVICES
www.sysupport.com
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
