I have never heard of either of these things, and I don't think they are
worthy of the NANOG list. I use WinGate at home, it is a Win95 gateway
program, so you can have a little proxy at home for your other systems with
only one dialup. I'm sure many of you are familiar with it. I can't even
imagine how it could generate spoofed packets in its legitimate form ( and
I don't know of anyone who has modified it to do so). Go to Yahoo or
win95.com and look up Wingate for more info. As far as I remember the
reason SMURFING is called SMURFING is because the executable is called
smurf! How would you "ban that code"? Ban a commercially viable product?
The system.exe file? What is that? I have not heard of that either, I
assume you are talking about win95 still. Maybe you mean system.dat (system
registry)? The registry cannot be modified to spoof packets my friend.
Surely what you are talking about is not true. Neither of these claims is
worth techical merit. I'll now go back to my normal lurking.
thanks
andrew
If we believe absurdities, we shall commit atrocities.
- Voltaire
Now that we have gotten down to the nitty gritty here.
AGAIN the main mechanism for spoofing the smurf attacks is A program
call wingate, ban that code and this problem will be cut more than in
half.
Next there is a rumor that 8000 users have been infected with a tweaked
system.exe file that makes that user a smurf amplifier unwittingly. These
are things to watch for. I wish there was an easier way to break bad
news.
The danger with Wingate (unless they've fixed it recently, but even then
there's plenty of old revs out there) is that it provides an anonymous
jumping-point for a cracker to launch an attack.
Consider this example:
"Joe DoS" dials into his local ISP, maybe even with a legit account. He
runs strobe or some other port scanner against another randomly
chosen ISP's netblock that they use for dialup looking for an open port
23. He finds one. It says "Hi, I'm a crappy wingate telnet proxy". Our
cracker friend can then telnet there and from the wingate proxy go to any
number of his hijacked shell accounts to start running smurf. If anyone
wants to track *him* down, they're pretty much out of luck. No one to
prosecute. Wingate *does not* log these connections.
The problem with Wingate is that it shipped (ships?) with the telnet proxy
wide open to the outside world. This is a very popular means for people
without scruples to anonymize their connections to the machines from which
they do their damage. To the admin of the machine on which the smurf
attack is running it appears the rogue user is coming from the dialup ip
of the wingate user.
How can you prosecute a smurf attack if your attacker has absolute
protection through anonymity?
Personally, I think the makers of Wingate should be strung up for having
such a stupid default behaviour in a product like this, and they should
have pulled it from the market and offered patches/instructions to stop
this behaviour as soon as they were aware of the flaw. Instead, they sat
on it for months...
Charles
~~~~~~~~~ ~~~~~~~~~~~
Charles Sprickman Internet Channel
INCH System Administration Team (212)243-5200
spork@inch.com access@inch.com