[Snort-users] GRC.com attack and TCP stacks

Mayers, Philip J p.mayers at ...1913...
Mon Jun 25 07:32:32 EDT 2001


I have to say, the grc.com article was more than a little alarmist. Raw
sockets aren't the problem - the abuse of such a facility is a symptom of a
larger problem, that of ISPs not doing egress checking.

A lot of ASIC-based router (vendors) don't provide an easy way to do this,
but they all provide ACLs, which should be implemented at their edge
connections. ISPs using Ciscos have no excuse at all. The future would be a
lot rosier if these kinds of things started to come turned on by default...
And yes, I'm well aware of the problems running with RPF checking in a
multi-routed core - but I'm talking about the *edge*.

Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+

-----Original Message-----
From: Benjamin Krueger [mailto:roo at ...2375...]
Sent: 24 June 2001 03:06
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] GRC.com attack and TCP stacks



The big deal is that 2k does, and more importantly, XP will, 
have support for raw sockets (enabling spoofing) by default.
Millions of shiney new end user XP machines on cable and dsl
that let a trojan bot spoof with their default stack.
This is the future kids...

Benjamin Krueger
Rogue Unix Weenie

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list