Full Disclosure mailing list archives

Re: SP2 and NMAP

From: "Mike Nice" <niceman () att net>
Date: Fri, 13 Aug 2004 10:16:34 -0400

If you read the above Microsoft doc you will see that they have not
"disabled raw packets" but disabled commonly abused types of raw
packet.


   While most of XP SP2 properly addresses the real issues - how to keep the
bad guys out, part of SP2 is a feeble attempt to mitigate the effects of
malware after it has arrived.    Re: outbound rate connection queue
limiting - Even without raw sockets, it is trivial to fill the pipe with TCP
Syn's to one or more addresses, albeit with a real source IP.  (Note to MS:
by the time malware has ben installed, it's too late; the horse is already
out of the barn!)

  Since the GRC.com attack 2 years ago, even average ISPs put filters in
place to prevent IP address spoofing.  I saw one piece of windows malware
about 2 years ago that used spoofed source IPs, but none recently.

Re: no TCP outbound raw sockets; this disables functionality like Win32
TCPtraceroute.  Sometimes that is the only way to track network connectivity
issues.   As you note, the only solution is to run a system other than XP
SP2.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Service Pack 2, don't discuss it here. Niek Baakman (Aug 12)
- Re: Service Pack 2, don't discuss it here. Tom Russell (Aug 12)
  - Re: Service Pack 2, don't discuss it here. A.V. (Aug 12)
  - Re: Service Pack 2, don't discuss it here. Harlan Carvey (Aug 12)
    - Re: Service Pack 2, don't discuss it here. Niek Baakman (Aug 12)
  - SP2 and NMAP PJ (Aug 12)
    - Re: SP2 and NMAP James Tucker (Aug 13)
    - Re: SP2 and NMAP Mike Nice (Aug 13)
    - RE: SP2 and NMAP Geo. (Aug 13)