A real eye-opener:

http://grc.com/dos/winxp.htm

A real eye-closer:

http://www.theregister.co.uk/content/55/20160.html

Frankly, I am not an expert in such things, but Mr Gibson does seem to be determined to make a fool of himself in public.

(pop quiz for Adams enthusiasts: what is the fate reserved for those who are determined to make fools of themselves in public?)

Oh, and this one:

http://www.theregister.co.uk/content/6/20172.html

I would say the man is:

1) ticked off! (he was attacked heavily)
2) passionate about prevention
3) on a crusade to enlighten as many people as possible
4) on a mission to convince Microsoft that they are making a (valid) mistake

I myself have had to deal with nasty DOS attacks, while juggling EMS questions basically asking if I am so good, then why can't I stop them because their site is losing thousands of dollars every minute the site is slow... (Ok, I exaggerate a teensy bit - but you get the idea)...

During this time, I have identified 15+ zombies (based on traffic pattern) with changing (random and valid) IPs every 3rd packet for the duration of the attack... It really is the epitomy of playing Internet 'Whack-a-Mole'....

The ultimate solution is 'Egress Filtering' and would have to be a forced issue upon all network borders/gateways in order to work... Even though the solution is know, either laziness or incompetence prevails with those that won't or can't...

--
Terra
--DOS Attack == pushing the little red button that brings down big buildings--
FutureQuest

The XP/DDoS thing is not as clear cut as GRC.com would make out. Contrary to what GRC says, the ability to spoof an IP address is not unique to Windows XP & 2000. In fact it can be done in all Windows versions - its just a matter of how much effort the programmer is prepared to make.
More importantly most DDoS zombies do not need or want to spoof IP addresses because they're not their own IP addresses!


GRC has always appeared a tad fanatical about the issues it takes to heart and imho many of these have been on very shaky technical ground. I'm just glad someone is finally questioning GRCs latest campaign.

Regards,

Rob

Of course if I'm wrong and spoofed IP packets do become a major problem then this will add weight to the argument that ISPs and others should implementing 'egress filtering' - that would fix the problem once and for all.

Rob

Gibson's story about his first DDOS attack was a very interesting read.

However, his opinion on Windows XP containing major security flaws just because it supports raw sockets seems far over the top.

After his first article I tended to believe him, but after reading several other articles on the subject I revised my opinion and am now convinced that Gibson is on a crusade against Windows XP.

I agree with the others stating that the DDOS problem should be attacked at the root (i.e. egress filtering).

Jan Derk
-- For once Microsoft implements something the right way and they still get bashed --

Contrary to what GRC says, the ability to spoof an IP address is not unique to Windows XP & 2000.

Just to be accurate, GRC never said this. In fact, it says this:

Note: I am FULLY aware that full raw socket-style access can be created by modifying any standard Windows operating systems through the addition of third-party device drivers.

Granted, I was refering to his original article which has since been updated and grown in length somewhat as well.

Rob

Somewhat off topic, he was interviewed at length (http://search1.npr.org/search97cgi/s97_cgi?action=View&VdkVgwKey=%2Fopt%2Fcollections%2Fzeus%5Fnewseditor%2Ffuturetense% 2Fdata%2F17928%2Ehtm&DocOffset=4&DocsFound=53&QueryZip=Gibson&Collection=zeus&Collection=C1&Collection=WEB&SortSpec=Modified+Desc+Score+Desc&ViewTemplate=docview%2Ehts&SearchUrl=http%3A%2F%2Fsearch1%2Enpr%2Eorg%2Fsearch97cgi%2Fs97%5F cgi%3Faction%3DSearch%26QueryZip%3DGibson%26ResultTemplate%3Dsimp lesearch2%252Ehts%26QueryText%3DGibson%26Collection%3Dzeus%26Coll ection%3DC1%26Collection%3DWEB%26SortSpec%3DModified%2BDesc%2BSco re%2BDesc%26ViewTemplate%3Ddocview%252Ehts%26ResultStart%3D1%26Re sultCount%3D10&) ("interviewed" as in "allowed to talk without much interruption") on NPR's All Things Considered last week, June 26th (Tuesday.) Pretty much a recount of what he's already posted at his site. Sorry for the icky URL, that's the best I could do.

See also my ramble on the same topic at http://www.aota.net/forums/showthread.php?s=&postid=12258#post12258