Why nobody is talking about this changes ?
With this hardcorded stuff it's not possible to use the system at full capacity.

Quote :

Two significant changes in Windows XP Service Pack 2 render the system
unusable by Windows network admins.

1) Outbound conection throttling. Windows XP Service Pack 2's
TCPIP.SYS throttles outbound connections.

When a minimum of ten threads are in the SYN_SENT state (which
includes for example ten unanswered ARP WHO HAS requests made on a
/24 segment when scanning a local LAN for rogue machines) TCPIP.SYS
queue's the remaining outbound connection attempts and sends a
warning to the System Event Log

EventID: 4226
Source: TCPIP
Message: TCP/IP has reached the security limit imposed
on the number of concurrent TCP connect attempts

2) Raw socket TCP data segments are filtered. Windows XP Service Pack
2's "Windows Fireall and Internet Conection Sharing (ICS)"
service filters attemts to send data using "Raw Sockets."
Stopping or disabling (net stop SharedAccess) the WF/ICS service
re-enables "Raw Sockets."

The WIN32 version of the circa 2000 "DoS via Stream3" tool
still sends packets with mangled flags and spoofed source addresses
on Windows XP Service Pack 2 (when WF/ICS service is stopped.)

Spoofed packets sent using
s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&Val, sizeof(Val);
are *not throttled* in TCPIP.sys

As a "Raw Socket" DDDoS platform, Windows XP Service Pack 2
remains viable for an attacker. Adding code to turn off the WF/ICS
service to four year old DoS code should bear fruit for malicious
coderz.

At the same time, Windows XP SP 2 remains utterly useless for remote
vulnerability scanning and remote assessments by admins.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/259/27904#27904