----- Original Message -----
From: "Benjamin Scott" <[EMAIL PROTECTED]>
To: "Greater NH Linux Users' Group" <[EMAIL PROTECTED]>
Sent: Sunday, July 08, 2001 3:18 AM
Subject: Re: grc.com Ddos analysis
> On Fri, 6 Jul 2001, Rich C wrote:
> > OK, nit noted: I should have said "stock" Windows 9x machines are not
> > capable of this.
>
> "stock" Win9X machines are not capable of propagating email viruses,
either.
Of course they are. All you need is Outlook Express, which is script enabled
by default, and you're all set.
> They need to be compromised first. My point was that it is trivially easy
to
> compromise a Win9X machine. Once the system is compromised, the attacker
can
> do anything he or she wants.
>
You're confusing the issue. We are discussing (or at least I am) a "stock"
Win9x machine being compromised by a virus, and being incapable of source IP
address spoofing, versus a "stock" WinXP machine being compromised by a
virus, that IS capable of source IP address spoofing.
> > Win 2k DOES have a raw sockets API.
>
> I'm confused. I thought Steve Gibson was up in arms because WinXP
included
> a raw sockets API for the first time. Is he wrong, or am I?
>
Win2K is the first MS OS to include a raw sockets API. Gibson states he is
not concerned too much with Win2K machines because they are limited in
number compared with user machines, and usually are in the hands of more
security-conscious people.
> > If it were truly trivial, I would think it would be done more.
>
> You're not a malicious hacker. Neither am I. I do not know what might
> motivate such a person; all I can do is suppose. I can only guess that
right
> now, such people (I use the term advisedly) find it more fun to go after
> unsecured Linux systems, because the tools are already present.
Most of these people do not have the skills to develop or even fully use
most of these tools themselves. They download them, receive brief
instruction from the developer of the tool, or from a more knowledgable
cracker, and they're off and running. The vast majority couldn't create a
hack themselves if their lives depended on it. This situation applies to
tools developed on open source Linux systems or using Microsoft's closed
source APIs and a pirated copy of Visual Studio.
If these malicious hackers could indeed trivially include patches to enable
source IP spoofing, I'm sure they would do it as a matter of course. I don't
know why it isn't done more, like I said; there must be some limiting factor
that I am not aware of, and that makes Windows XP such an anticipated
arrival by these malicious hackers.
>
> > The point is that this capability will be present BY DEFAULT on Windows
XP
> > machines.
>
> Any computer capable of performing useful tasks on a network (by default
or
> otherwise) is capable of performing malicious tasks. Getting upset over
one
> specific instance is silly.
Gibson's point is that for an OS that is available to the masses to have a
raw sockets API provides increased capability for malicious activity while
it DOES NO GOOD for the user of the system.
>
> Steve Gibson actually comes close when he talks about accountability and
> awareness: What needs to be done is people need to be made aware of the
> security issues inherent in any public network, they need to be made aware
> that *everyone* needs to worry, and they need to be held accountable for
doing
> so.
True. And the malicious hackers need to be held accountable for their
actions too. Taking away a kid's computer for two years is not a strong
statement of how serious an offense it is to break into computers--having
him make license plates IS.
>
> > If someone INTENTIONALLY installs a raw sockets capability ...
>
> How many people "intentionally" install a virus?
How is this relevant? My point was that a raw sockets capability
"intentionally" installed by someone who really needs it and is aware of its
capabilities and security issues is much better than having it there by
default in a machine whose user is unaware of its presence, or the problems
it can cause.
>
> > This doesn't stop trojans from being developed or deployed for Windows
> > machines. This doesn't stop vulerabilities from being found in email
> > programs to allow these programs to spread.
>
> Which is it? Either the lack of a tool hinders attack, or it does not.
On
> one hand, you are saying the addition of a raw sockets API will make
attacks
> more common. On the other, you are saying the lack of tools doesn't stop
> trojans from being developed. You can't have it both ways.
No, I am saying (actually, Gibson is saying,) that having a raw sockets API
will make compromised machines harder to find. YOU stated that because Linux
offers source code and free tools, it is a better platform for malicious
hackers. In fact, it may be a better platform for doing SOME things, but if
you want to develop tools to compromise an Windows machine, you are better
off developing them on a Windows machine. And Windows machines are the
target of choice for DDOS attacks because a) there are so many of them, and
b) there are so many that are owned by people who don't practice "safe
computing."
>
> > Linux systems are not the best systems for DDOS attacks because there is
> > not a high enough population of them yet.
>
> DDoS attacks do not need packet spoofing to succeed. Indeed, spoofed
> packets make a DDoS attack easier to detect.
Not necessarily. If the address is changed to something WILD from outside
the ISP's domain, then yes, you are right. But if the address is changed to
another address within the ISP's domain, the packet will just appear to come
from another computer on the network.
> The reason DDoS attacks are
so
> hard to stop is that all the zombies are nominally legitimate machines
sending
> nominally legitimate requests.
The attack on Gibson's site was identified as coming from 474 specific
Windows boxes, lying in specified domains. http://grc.com/dos/grcdos.htm
Since these machines could be identified by their unusual packets (maximum
length packets that get fragmented, and large ICMP packets,) source IP
spoofing would make these machines impossible to locate. The attack log
http://grc.com/dos/attacklog.htm proves that WITHOUT spoofing, it was
possible to locate the offending machines.
> I think you can replace "Linux" with "network" and still have a true
> statement there. I personally believe the apathy about security is the
> biggest threat facing information systems today.
True, but no ISP will block the use of Windows machines (at this stage) no
matter how open to attack they become. Many ISPs already discourage or even
forbid use of Linux machines on their networks.
>
> > Unless we can demonstrate that open source improves security, no one
will
> > use it.
>
> You cannot demonstrate the security of an open source cardboard box.
> Unless people start taking security *as a whole* seriously, the security
of
> Linux is a moot point.
But the cardboard box can encourage that attitude by turning off (by
default) dangerous services, and by adding to the distribution (by default)
tools to help the user secure the system, detect intrusion, and repair the
effects of attack. This will also "raise the bar" for other OSes.
>
> >> Anti-virus protection is a multi-million dollar market segment.
Millions
> >> and millions of dollars spent every year just because Microsoft can't
> >> design a secure OS.
> >
> > It's not that they can't, it's that they don't hold it as a priority.
>
> Fair enough. Unable or unwilling; the end result is the same.
And now since Linux machines have been shown to be just as vulnerable to
viruses, there is no motivation on the part of Microsoft to change it's
position (except maybe they will tout Windows as being MORE secure than
Linux, even when we all know it isn't.)
>
> >> Outlook-enabled email viruses can and still do bring corporate email
> >> systems to their knees in minutes, and clog outside systems for hours
or
> >> days.
> >>
> >> What has changed?
> >
> > With XP, and Linux too for that matter (as with all OSes that can spoof
> > source IPs) the compromised systems won't be detectable.
>
> Excuse me? If the system is compromised, the attacker can do anything
he
> wants to subvert your system. Given the mess your average
\WINDOWS\SYSTEM\
> directory is, I hardly think one file more or less will be noticed.
Assuming
> you can even see it in the first place.
Which brings me back to my original question (again:) Why don't these
trojans install a raw sockets API or modify the system to perform source
address spoofing?
>
> > My point was that a dedicated firewall will have fewer vulnerabilities
> > than even a properly secured multi-purpose OS, Linux included.
>
> This is not necessarily true. If you strip a general-purpose OS like
Linux
> down to nothing but the kernel, you can secure it as well as any embedded
> firewall box.
And how much more useful for everyday computing is that stripped down system
than the embedded firewall?
> The embedded box runs software, too. That software can be
> compromised, just like any other software. It happens often enough.
The embedded firewall only runs a very limited software set, and that set
usually can't be compromised (runs out of a write protected floppy, or even
firmware. The only way to compromise these systems is to change the
configuration (which can be reversed on a reboot) or to gain physical access
to the media to change it (getting the user to download an "update" from an
untrustworthy source would be an example.)
>
> The real increased risk comes when you start running additional services
on
> the firewall. Running services on the same system as the firewall mean a
> service vulnerability leading to root compromise can further open your
network
> to attack. A separate service host means the attacker is limited to what
he
> can do through the service host. If the service host is in a DMZ, that
might
> be very little.
My point exactly.
Rich Cloutier
SYSTEM SUPPORT SERVICES
www.sysupport.com
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
