RE: DDoS to microsoft sites (? avenues of attack!)

["Eaton, Arthur" <AEaton () FDIC gov>]

See bottom for response to Matt Adcock...
> On 30 Jan 2002 at 12:47, Adcock, Matt <Matt.Adcock () gsccca org> wrote
> (in response to 'Bronek Kozicki' <brok () rubikon pl>):
  [Snippet quotes-]
> [1] According to your logic, the only way to make a secure machine is to
> shut everything off. That's absolutely ridiculous.  
>
> [2] I'd really like for you to explain to me how a Windows network will
> run without NetBIOS.  Try shutting it down sometime - you'll break your
> Windows network, even 2000.
>
> [3] I'd also like for you to explain to me how you can brute force attack
> admin accounts just because NetBIOS is open.
>
> Matt

[1] Matt, there is one other way to make a machine *totally* secure:
   (a) Disconnect it from all networks,
   (b) Remove any & all wireless components,
   (c) Wrap it in 3 layers of aluminum foil (cheap Tempest), and
   (d) Either lock yourself in the computer room for life, or seal
       the computer in concrete or thermoplastic (your choice).

    Seriously, we cannot eliminate risk and continue to communicate.
    The best we can do with risk is to manage it.

[2] DHCP and D(ynamic)DNS (Cisco or other).  It's been done for years.
    TCP/IP works fine in a LAN and you can remove all other protocols.  
    It also limits sniffing with a single sniffer to a single segment.
    (Well, OK, so it gives fits to network-type IDS software vendors.)

[3] For one thing, Matt, you can't set up a firewall to block unknown
    NetBIOS (MAC) names, but you can set a firewall or router to block
    unknown or known IP address ranges and known domain names.  Also,
    check out Hacking Exposed, Secrets & Lies, etc.

Jason Robertson, in his earlier message to you, is absolutely right --
firewalls are not the be-all and end-all of security, for the primary
reason that this business is the most rapidly changing of any human
endeavor in the world: What was true yesterday may be false tomorrow.

The more defenses we have at our disposal, the more likely we will be
able to adapt one quickly to a new kind of threat.  This was once more
demonstrated just recently at FDIC, when we were able to quickly block
the MyParty virus/worm at our domain gateway long before the new virus
definitions were available from our vendor.

James Butler Hickock used only one pistol at a time, but he wore two -
just in case - and had a shotgun available when things got shaky.  So
arm yourself and your LANs, Matt!

Arthur Eaton
FDIC-CSIRT

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com