[38916] in North American Network Operators' Group
Re: DDOS anecdotes
daemon@ATHENA.MIT.EDU (Michael Painter)
Sat Jun 23 17:44:27 2001
Message-ID: <000001c0fc2d$9082e840$0100007f@flex.com>
From: "Michael Painter" <tvhawaii@shaka.com>
To: "Daniel Senie" <dts@senie.com>
Cc: <nanog@merit.edu>
Date: Sat, 23 Jun 2001 11:18:28 -1000
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Daniel
>>Obviously, a general spoofing tool for Win95 could be written.
After reading that part of the tirade, I came to the same conclusion as a
previous poster... lots of FUD, and not much more.<<
I'm having a hard time understanding this. Wouldn't it be easier/simpler for
these crackers to just install their bots on, oh say, 20 million machines running
XP than the crackers having to deal with installing the bot -and- the code to do
the spoofing on Win95/98/98SE/98ME?
Michael Painter
----- Original Message -----
From: "Daniel Senie" <dts@senie.com>
To: "Tim Wilde" <twilde@dyndns.org>
Cc: <nanog@merit.edu>
Sent: Saturday, June 23, 2001 9:13 AM
Subject: RE: DDOS anecdotes
>
> At 02:37 PM 6/23/01, Tim Wilde wrote:
>
> > > This is a real problem. It's not FUD. Microsofts choice to include full
> > > IP stack capabilities will make the problem worse, but I do not blame
> > > their IP stack for this like Mr Gibson does though.
> >
> >Oh, it's most certainly a real problem, but I don't agree that the changes
> >in Win XP will really make any difference whatsoever. With some very
> >trivial driver additions, raw sockets can be accessed under any previous
> >version of Windows, just like in XP.
>
>
> Indeed, there have been LAN analyzers which run on all variants of Windows
> for a very long time. These can generate / play back traffic, using
> whatever source IP addresses and MAC addresses were on the original
> packets. Obviously, a general spoofing tool for Win95 could be written.
> After reading that part of the tirade, I came to the same conclusion as a
> previous poster... lots of FUD, and not much more.
>
> It's been 5 years since the document now published as RFC 2827 was first a
> draft. Many sites do ingress or egress filtering. Many don't. Most router
> equipment can now handle it, according to the manufacturers. Yes, there are
> issues dealing with multi-homing. However, it appears many attacks still
> originate from single homed sites, dialup sites, cable modem attached
> systems, and the like. In most cases, these could be filtered. Has anyone
> at any of the cable modem vendors made any attempts to try ingress
> filtering in the cable system head-end routers? Did it work? Need help
> trying it out? While Ingress filtering will not cure the world, it can help
> de-fang many attacks. Unfortunately, it requires cooperation to be effective.
>
> -----------------------------------------------------------------
> Daniel Senie dts@senie.com
> Amaranth Networks Inc. http://www.amaranth.com
>
