GRC rides again...

Ron_Buchalski · July 2, 2001, 2:58pm

Chris Rapier writes:

From: Chris Rapier <rapier@psc.edu>
CC: nanog@merit.edu
Subject: Re: GRC rides again...
Date: Mon, 02 Jul 2001 10:45:39 -0400

My feeling is that he's missing some clues regarding the necessary
realities of the situation. Its not so much a matter of laziness,

<snip>

I'm also sure that XP might increase the number of spoofed packets
running through the network. If that spurs more ISPs to use source
address filtering them thats a good thing. Even if they don't it is
possible to track down where a spoofed IP is coming from - its more of a social engineering issue than a technical one.

The GRC page talks about his dos attack, and he also rants about the "dangers" of the IP stack in XP, but his dos attack didn't come from sources sending spoofed packets, so source address filtering wouldn't have helped in this case. GRC complaining about the spoofed packet problem should be a separate rant on his website (who knows...it probably is!).

-rb

Stephen_Kowalchuk · July 2, 2001, 3:39pm

There are some basic protections an ISP can take, but really what Gibson is
crying about is an end-node security problem.

What can ISPs do? Doesn't their ability to add value to the security equation
revolve around each ISP performing its role in the process of routing and
distributing packets, no more and no less? Aside from removing spoofed packets,
performing ingress and egress filtering, and responding to direct customer and
supplier needs, I don't see anything else an ISP itself can do.

One caveat to the above: I don't buy all this bullshit about "peering" vs.
"customer/supplier" relationships. If you send a packet to a network, you are
that network's supplier and should be willing to act in a supplier's capacity.
If you receive a packet from a network, you are that network's customer and
should be willing to act as a customer. If you are doing both, then you have to
put on both hats as needed and step up to take responsibility for the business
arrangement as it is. Hiding behind peering agreements to ignore problems or
blame the other party solves nothing.

Lack of security clue on the part of an end-node is an end-node's problem. If
all the people who run Windows boxes suddenly went to RedHat 7, we'd have a mass
of lpd, wu-ftpd, rpc.statd and similar problems. The solution lies with
education of the ignorant masses on the basics of security. While this is not
an ISP's responsibility, those immediately upstream of end-nodes may want to
offer it as a value-added service. It would appear there is certainly a market.

My $0.02.

Dave_Howe · July 2, 2001, 4:16pm

The GRC page talks about his dos attack, and he also rants about the
"dangers" of the IP stack in XP, but his dos attack didn't come from

sources

sending spoofed packets, so source address filtering wouldn't have helped

in

this case. GRC complaining about the spoofed packet problem should be a
separate rant on his website (who knows...it probably is!).

I suspect that there were two attacks - because a few days after he posted a
smug "I blocked all the compromised machines at the ISP and didn't even
notice later attacks" on his site, he posted a handsup "I surrender, you
win" - and started ranting about the dangers of XP. The reaction is about
what I would expect if his smug "I beat the haxors" page annoyed someone
enough that he *did* launch a spoofed attack, and one with a sufficient
variety of source IPs that there was no blocking it.

Benny_Fischer · July 5, 2001, 7:10pm

MS reply, for all this nonsense

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
raw_sockets.asp

Benny Fischer
Chief Technical Officer
Infinet Internet Services
benny@infinet-is.com
480-<snip>