[Snort-users] GRC.com attack and TCP stacks

Galitz galitz at ...247...
Fri Jun 22 20:44:32 EDT 2001


> > I was just reading this article about how Gibson Research
> > was knocked off the net ( http://grc.com/dos/grcdos.htm ).
> > Near the end of the article was a section on detecting these
> > bots.  As a new snort user, I can probably RTM and create
> > some rules that create an alert for ports 6667 and 113,
> > but how do I test it?  -George
> 
>

So, I read the above URL, but I am curious.  Steve
states:


    Microsoft's engineers never fully implemented the complete
    "Unix Sockets" specification in any of the previous version
    of Windows. 

And goes to say that a MS Windows pre-2000 or XP box cannot
generate spoofed packets without the attacker (or security 
auditor) using special device drivers.

My question is... what the heck is he talking about?  Is
this true?  Is it not possible to generate spoofed traffic
on an NT box using only the OS and no new drivers to be
installed?  What missing functionality is being alluded
to here?

-geoff


-----------------------------------------------------------------------
Geoff Galitz                     |  "Beer is proof that God loves us."
Research Computing, UC Berkeley  |     Theodore Roosevelt
galitz at ...247...       |
-----------------------------------------------------------------------




More information about the Snort-users mailing list