Government scrutiny is headed our way

:: Joe Shaw writes ::

> Next there is a rumor that 8000 users have been infected with a tweaked
> system.exe file that makes that user a smurf amplifier unwittingly. These
> are things to watch for. I wish there was an easier way to break bad news.

I fell out of my chair at that statement. One user/host cannot be a smurf
amplifier; one network from a /30 and down can with different results.

If I modify my kernel to generate 100 ECHO REPLYs for each ICMP ECHO I
recieve, how is my PC signifigantly different than a /24 behind a
router that doens't have "no ip directed-boradcast" (or it's
equivalent) configured, with 100 devices on it that all respond to ICMP
ECHOs addressed to the boracast address?

I'm not saying that I believe this rumor (or even that I've heard it
before now), nor am I saying that the rumor has as much thought behind
it as my previous paragraph does, nor am I saying that if you were
going to implement such a thing on a Windows machine that you would
implement it in system.exe. (I'm not even saying that system.exe
exists.)

But I am saying that such a thing is technically feasible. And I am
saying that there are people out there who are not above writing a
virus that facilitiate the use of other people's machines in DOS
attacks.

          - Brett (brettf@netcom.com)

> I fell out of my chair at that statement. One user/host cannot be a smurf
> amplifier; one network from a /30 and down can with different results.

If I modify my kernel to generate 100 ECHO REPLYs for each ICMP ECHO I
recieve, how is my PC signifigantly different than a /24 behind a
router that doens't have "no ip directed-boradcast" (or it's
equivalent) configured, with 100 devices on it that all respond to ICMP
ECHOs addressed to the boracast address?

Point noted.

Damn, I get stuck every time I use a blanket statement like that. True,
in your case it could be possible, but modifying the kernel of a
workstation to behave like that would be somewhat foolish since it
would be easily tracked back to that workstations IP address by the
traffic log most clued admins would put in place when they found they
were under attack. If someone is capable of modifying the kernel of a
machine that doesn't belong to them, then smurf is the least of their
worries; they've got a compromise to deal with. And I think in the case
you've presented, it would be easy to point back to the compromised host,
not that it would do you any good if the people responsible wouldn't act
on the problem.

I'm not saying that I believe this rumor (or even that I've heard it
before now), nor am I saying that the rumor has as much thought behind
it as my previous paragraph does, nor am I saying that if you were
going to implement such a thing on a Windows machine that you would
implement it in system.exe. (I'm not even saying that system.exe
exists.)

Hehe... Plausible (sp?) deniability? :slight_smile:

But I am saying that such a thing is technically feasible. And I am
saying that there are people out there who are not above writing a
virus that facilitiate the use of other people's machines in DOS
attacks.

Agreed. I think to be more accurate, I should say that an instance like
that hasn't presented itself yet. But, it's entirely possible someone
with half a clue might be able to do it on a windows box, and it's
certainly possible on various UN*X platforms. The question is, would
someone with that kind of skill be willing to do something with those kind
of implications? If they are capable of that then a smurf attack is
somewhat trivial.

However, I think we're getting off topic for the list, but I'd be more
than happy to continue this discussion off-list.

          - Brett (brettf@netcom.com)

Regards,
Joe Shaw - jshaw@insync.net
NetAdmin - Insync Internet Services

It's certainly different- a standard smurf gets n replies for each packet
received, if you have one hundred hosts, that's 100 replys for each echo
request. A single host sending out 100 replys is no different than a
pingflood, which can't flood more than a serial dialup line. The volume
of replys is 100 times greater for the 100 host network.

As for a "patched system.exe", if it exists, it could be problematic.
There is nothing preventing a workstation from receiving an ICMP echo
request and rebroadcasting it on the LAN with a spoofed source address.
Egress filters on the originator network would be ineffective because the
original packet would have a true source address in it. The destination
machine would accept the packet and spoof it onto its local network, which
would generate (n) replies, which would not be filtered on their way out
of the network to the remote address. The patched system would not log
incoming packets, so the only way to track it down would be to find the
local machine that is sending broadcasts to the local lan with spoofed
source addresses, and sniff for remote-originated packets destined for
that machine. The only upside is that you'd have the actual ip of the
originator.

Brian Pape
Computer Resource Services
University California Los Angeles
pape@mail.ph.ucla.edu
x59284