Vulnerability Development mailing list archives

Re: is: tcp/ip vuln, not?... was: WSCRIPT.EXE ,CSCRIPT.EXE replacement for *.vbs

From: jlegate () ALIENCHICK COM (Jason Legate)
Date: Wed, 17 May 2000 15:03:04 -0700


In addition, the inability for routers to filter a major portion of the
data (null tcp packets/ack tcp packets) due to the possible validity of
all the packets.  If router filters are added to block a major chunk of
the newer DDoS's, they would have to block all legit traffic since the
newer packet generators generate "normal tcp traffic".

-j

On Tue, May 16, 2000 at 12:41:08AM +0000, Crispin Cowan wrote:

Bluefish wrote:

Ehm. In what way did shortcommings of TCP/IP have any specific impact upon
the DDoS attacks? The attack was dependent upon two issues:
  1. ability to fill up the physical bandwith (alas network hardware)
  2. ability to overload local resources (RAM, processor etc)


3.  Ability to spoof a source IP address.

3 is critical, because the DDoS attacks use a relatively small number of zombie
machines to spoof the existance of a really large number of legitimate clients.
Without source IP address spoofing, the attacker could easily discover the few
dozen zombie machines that are pounding the defender's machine, and have them
shut down.

None of these attacks were directly related to any TCP/IP vulnerability.


The complete lack of authentication in IP datagrams is directly related to the
TCP/IP vulnerability.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org
                  JOBS!  http://immunix.org/jobs.html


-- 
/--------------------------/ Jason Legate \------------------------\
|     jlegate () sitesmith com       |         SiteSmith, Inc.        |
|        24x7 Call Center         |    http://www.sitesmith.com    |
|          888.898.7667           |     PGP Key ID - 0xA855AAC3    |
+---------------------------------+--------------------------------+
| Fingerprint - 2D5F 87A0 26E6 A65B 6837  D100 FB54 A972 A855 AAC3 |
\------------------------------------------------------------------/


<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>

Current thread:

Re: QPOP2.5* exploit ??, (continued)
- - - Re: QPOP2.5* exploit ?? Lluis Mora (May 15)
    - Bugtraq Stats for the last 3 years available now. Alfred Huger (May 15)
    - xsoldier mandrake exploit. egid=games with the right shellcode Larry C$ (May 15)
    - Re: QPOP2.5* exploit ?? rpc (May 14)
    - Fwd: [Newssubmission: Security vulnerability in the ICS HTTPServer component] TLsecurity.net (May 14)
    - Re: regarding phrack49's stack smashing tutorial Pavel Kankovsky (May 14)
    - Re: regarding phrack49's stack smashing tutorial Darshan Patil (May 14)
  - Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Richard Rager (May 13)
  - is: tcp/ip vuln, not?... was: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Bluefish (May 13)
    - Re: is: tcp/ip vuln, not?... was: WSCRIPT.EXE ,CSCRIPT.EXE replacement for *.vbs Crispin Cowan (May 15)
    - Re: is: tcp/ip vuln, not?... was: WSCRIPT.EXE ,CSCRIPT.EXE replacement for *.vbs Jason Legate (May 17)
  - Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Bluefish (May 13)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Maxime Rousseau (May 12)
  - Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Richard Rager (May 13)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Daniel P. Zepeda (May 14)
  - Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Bluefish (May 16)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Istvan Takacs (May 15)
  - Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Bluefish (May 16)