North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DDOS anecdotes

  • From: Roland Dobbins
  • Date: Sat Jun 23 18:31:29 2001

I think the idea is to either use a buffer overflow or somesuch (yes,
they exist on Windows) to either get the machine to run a
.vbs/ActiveX/wsh
at the time of penetration, or plant something that will get run when
the user does certain things or the machine's rebooted.  There are
several tools 
which can do spoofing on NT/2000 using the Win32 version of libpcap, and
there 
are tools for Win9x into which the coders wrote their own functions.  

A five-minute search on google.com will reveal them.

The bottom line is that Gibson's an hysteric crank who doesn't know what
he's
talking about.  Yes, providers and customers need to secure their
boxes/do egress
filtering/implement CAR and/or WFQ and/or SPD and/or TurboACLs wherever
possible; yes, users need to know how to get hold of their providers'
NOCs/support staff -ahead of time-; yes, they need to look at Cisco
7600-type
and/or 6500/MSFC2/Sup2s to process ACLs wherever possible; no, none of
this is new.

He hadn't secured his routers in the least, and betrays a stunning
ignorance
of how the Internet in general and IP specifically works.  Then he
gets on his soapbox about it and proclaims that he, and only he, knows
how to save the Internet.

There're plenty of things to bash Microsoft over, both generally and in
regards to XP in general - but the fact that they implemented a standard
socket interface in XP isn't one of them.  

Do realize that in the last year or so, Gibson claimed to've invented
'stealth'
scanning a la nmap.  He also published some crazy method for supposedly
optimizing ZIP drives which has the effect of destroying your ZIP
cartridges.  I personally think he's unhinged, and a huckster to boot.

His latest folly is to automagically post logs of what he says are the
IPs of machines launching DoS attacks against his site, and urge users 
to contact Bill Gates and blame Microsoft for it.  Needless to say,
most of the machines on the list seem to supposedly be routers or
switches
of one stripe or another, and/or *NIX boxes.  My guess is that the vast
majority of those IPs are spoofed.  He also urges service providers to
take action against the supposed offenders.

Although I hate Microsoft with a passion, I hope that they sue him for
slander - I'd love to see these two FUD-spreaders go after one another.
Hell, I'd be willing to serve for free as an 'expert witness' for the
purpose
of taking him apart in court.

Gibson's an idiot.  Ignore him.


Paul Vixie wrote:
> 
> > I'm having a hard time understanding this.  Wouldn't it be easier/simpler for
> > these crackers to just install their bots on, oh say, 20 million machines
> > running XP than the crackers having to deal with installing the bot -and-
> > the code to do the spoofing on Win95/98/98SE/98ME?
> 
> Doesn't matter.  Either way it's an automated script-kiddie tool.  No way
> either approach works if it requires manual keystrokes by the attacker.

-- 
------------------------------------------------------------
Roland Dobbins <[email protected]> // 408.859.4137 voice