Radsoft
	`About \| Buy \| News \| Products \| Rants \| Search \| Security`

Home » News » Roundups » The Rise and Fall of GRC

SocketToMe II

August 21, 2001 4:38 AM - 5:14 AM UTC

This is lovely II. First the increasingly flustered führer blurts:

Subject: A low machine-count attack . . . Date: Mon, 20 Aug 2001 21:38:33 -0700 From: Steve Gibson Hi Gang, That three-hour outage just now was an 18-machine UDP flood, almost certainly launched from security compromised Windows PC's. Those 18 attacking machines were not spoofing their source IP's because, as we know, until the release of Windows XP, they can't and don't. It's going to be much more annoying for the world when these compromised Windows boxes can easily generate spoofed source IP SYN floods to port 80 -- and else they are currently unable to do. -- _________________________________________________________________ Steve Gibson, at work on: < a million loose ends >

Then, only sixteen minutes later, Robin Keir asks what the whole world must have been wondering:

Subject: Re: A low machine-count attack . . . Date: Mon, 20 Aug 2001 21:54:18 -0700 Um, how can you say that Steve? Many of the 300,000+(?) machines hit by Code Red (in fact ALL of them exploited by CR2 3rd variation) were running Windows 2000. And with Code Red gaining SYSTEM privileges on Windows 2000 they could ALL have spoofed their source IPs in a DDoS attack if they had wanted to. But they didn't. -Robin

Then, a miniscule twenty minutes after that, the ever-vigilant führer realises his 'wee slip':

Subject: Re: A low machine-count attack . . . Date: Mon, 20 Aug 2001 22:13:18 -0700 Robin, You're right Robin. I'm still thinking in terms of the multiple DDoS attacks we were hit with in May having exactly the same attack characteristics and which were launched from Zombied Win9x-class boxes where raw sockets were not available. -- _________________________________________________________________ Steve Gibson, at work on: < a million loose ends >

It must be the 'million loose ends' conspiring to confuse the fearful führer, but it's still blather blather and more blather, for the 'Zombied Win9x-class boxes' (<-- you gotta love that one) were in fact nothing of the sort, but it seems even the führer is given to (gratuitous) flights of fancy.

For example, the breakdown of the machines used in the June attack on poor GRC.com is as follows:

OS #
Windows 2000 117
Windows NT 4 32
Cisco 2611 (IO12.) 2
Linux 2.2.14 - 2.2.16 1
FreeBSD 4.1 - 4.2 1
OpenBSD 1
Netopia DSL Router 1
WatchGuard FireBox II 1
[Unknown] 15
Windows 9x 1

Will these embarrassing and increasingly frequent flubs blurts and flailings go the way of their earlier brethren and also be removed to oblivion? Will not the faithful otherwise begin to doubt their beloved leader? That faint rumbling sound you hear comes from the discontented masses assembled on the throne room floor...