RE: Government scrutiny is headed our way

[Charles Sprickman <spork () inch com>]

The danger with Wingate (unless they've fixed it recently, but even then
there's plenty of old revs out there) is that it provides an anonymous
jumping-point for a cracker to launch an attack.  

Consider this example:

"Joe DoS" dials into his local ISP, maybe even with a legit account.  He
runs strobe or some other port scanner against another randomly
chosen ISP's netblock that they use for dialup looking for an open port
23.  He finds one.  It says "Hi, I'm a crappy wingate telnet proxy".  Our
cracker friend can then telnet there and from the wingate proxy go to any
number of his hijacked shell accounts to start running smurf.  If anyone
wants to track *him* down, they're pretty much out of luck.  No one to
prosecute.  Wingate *does not* log these connections.

The problem with Wingate is that it shipped (ships?) with the telnet proxy
wide open to the outside world.  This is a very popular means for people
without scruples to anonymize their connections to the machines from which
they do their damage.  To the admin of the machine on which the smurf
attack is running it appears the rogue user is coming from the dialup ip
of the wingate user.  

How can you prosecute a smurf attack if your attacker has absolute
protection through anonymity?

Personally, I think the makers of Wingate should be strung up for having
such a stupid default behaviour in a product like this, and they should
have pulled it from the market and offered patches/instructions to stop
this behaviour as soon as they were aware of the flaw.  Instead, they sat
on it for months...

Charles

~~~~~~~~~                                       ~~~~~~~~~~~
Charles Sprickman                               Internet Channel
INCH System Administration Team                 (212)243-5200
spork () inch com                                       access () inch com

On Sun, 21 Jun 1998, Andrew Metcalf wrote:

> Date: Sun, 21 Jun 1998 12:26:21 -0400
> From: Andrew Metcalf <prelude () mindspring com>
> To: 'Henry Linneweh' <linneweh () concentric net>
> Cc: "'nanog () merit edu'" <nanog () merit edu>
> Subject: RE: Government scrutiny is headed our way
>
> I have never heard of either of these things, and I don't think they are 
> worthy of the NANOG list. I use WinGate at home, it is a Win95 gateway 
> program, so you can have a little proxy at home for your other systems with 
> only one dialup. I'm sure many of you are familiar with it. I can't even 
> imagine how it could generate spoofed packets in its legitimate form ( and 
> I don't know of anyone who has modified it to do so). Go to Yahoo or 
> win95.com and look up Wingate for more info. As far as I remember the 
> reason SMURFING is called SMURFING is because the executable is called 
> smurf! How would you "ban that code"? Ban a commercially viable product?
>
> The system.exe file? What is that? I have not heard of that either, I 
> assume you are talking about win95 still. Maybe you mean system.dat (system 
> registry)? The registry cannot be modified to spoof packets my friend. 
> Surely what you are talking about is not true. Neither of these claims is 
> worth techical merit. I'll now go back to my normal lurking.
>
> thanks
>
> andrew
>
> If we believe absurdities, we shall commit atrocities.
>                                              - Voltaire
>
> On Sunday, June 21, 1998 5:03 AM, Henry Linneweh 
> [SMTP:linneweh () concentric net] wrote:
> > Now that we have gotten down to the nitty gritty here.
> >
> > AGAIN the main mechanism for spoofing the smurf attacks is A program
> > call wingate, ban that code and this problem will be cut more than in 
> half.
> > Next there is a rumor that 8000 users have been infected with a tweaked
> > system.exe file that makes that user a smurf amplifier unwittingly. These
> > are things to watch for. I wish there was an easier way to break bad 
> news.
> > Henry