From - Fri Sep 12 12:29:51 1997 Path: news.mitre.org!blanket.mitre.org!agate!howland.erols.net!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!mindspring!news.mindspring.com!usenet From: dleblanc@mindspring.com (David LeBlanc) Newsgroups: comp.os.ms-windows.nt.admin.security Subject: Re: NT Crash after acces on special tcp port Date: Thu, 11 Sep 1997 11:36:35 GMT Organization: MindSpring Enterprises Lines: 54 Message-ID: <341ad3ea.1143476101@news.mindspring.com> References: <01bcb93e$53e9e680$01000a86@compaq> <5up1ov$h3p@wapping.ecs.soton.ac.uk> NNTP-Posting-Host: user-2k7i82t.dialup.mindspring.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Server-Date: 11 Sep 1997 11:36:24 GMT X-Newsreader: Forte Agent .99g/32.339 dps96r@ecs.soton.ac.uk (Duncan Simpson) wrote: >ping of doom: NT crashes. >winuke: MSG_OOB to port 139. NT crashes. >ssping: Fragment reassemblu bug. NT crashes. These are all fixed by the icmp-fix, as they all replace tcpip.sys, and that is the latest one. BTW, NT isn't normally vulnerable to the POD, which is different than the ssping. >wins flooding: WINS exits. NT does not crash. >jizz, etc: NT cache gets false DNS information. NT DNS servers are >vulnerable too. Upgrading my (Linux) one to bind 8.1.1. Both patched. So far as DNS goes, pick your poison - both BIND and MS's DNS server have their own problems, as well as some in common. >AFAIK there is no fix for >SYN flooding: Nobody is able to open a TCP connection to your >machine. Works w.o. any problems on all versions of NT AFAIK. This is very incorrect. MS has one of the better SYN attack patches - pre-SP1, IIRC. See Q142641 07-OCT-1996. C'mon, man - you usually come up with some of the better stuff, instead of ragging on NT for stuff that was fixed almost a year ago. >Source routing: REally handy for faking the identity of my source >address and still getting all the packets! I just claim my (evil) box >is somewhere in the middle and NT sends all the replies via my box >(they actually stop there of course and orginated form there, but NT >can not notice). Linux and most other Unicies can be configured to >drop source routed packets. NT *should* be able to but can not. This is assuming that none of the routers between here and there drop them - otherwise, you're correct. However, seeing as NT bases very, very little on source IP, I'm not too sure how you plan to do much with it. OTOH, stuff like Ascend routers drop source-routed packets by default. >...and more I do not have in my mind at present. There will be more - don't go acting like Linux is immune to this, either - except the UNIX's tend more towards remote root compromises, rather than DOS attacks. I did find the wu-ftpd DOS attack rather amusing - did you know NT's FTP server isn't vulnerable to that one? David LeBlanc |Why would you want to have your desktop user, dleblanc@mindspring.com |your mere mortals, messing around with a 32-bit |minicomputer-class computing environment? |Scott McNealy