|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Alert: New Teardrop Attack
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Re: Alert: New Teardrop Attack
- From: Russ <Russ.CooperRC.ON.CA>
- Date: Tue, 3 Mar 1998 16:53:55 -0500
- Reply-To: Russ <Russ.CooperRC.ON.CA>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
Update. 1. The Linux claims seem to be unfounded, various older Linux boxes have stayed up despite being attacked. 2. One source states unequivocally that the Teardrop-2 fix supplied by Microsoft in January *does* prevent the attack. As yet, however, I haven't spoken to anyone directly who has seen a machine withstand an attack after being patched (the attacks are being done to random machines on a subnet to random ports on those machines). 3. The source port for the attack *may* be 4000. There are reports of the source IP being a spoofed address out of ais.net. One site found filtering on inbound packets originating from port 4000 successful at preventing the attack. Obviously this is a stop gap measure since it should not be difficult to change the source port. 4. I said it began today, but it seems to have started yesterday. The attackers are attacking "known" IP addresses, not just throwing packets at a network or subnet. It is also not broadcast based, but specifically targeted at specific machines (although one person reported an HP JetDirect that appeared to be attacked, so clearly they do not know what is behind the IP address they are attacking). If you don't already have this applied, apply it now. ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixe s-postSP3/teardrop2-fix/Q179129.txt ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixe s-postSP3/teardrop2-fix/README.TXT for Intel ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixe s-postSP3/teardrop2-fix/tearfixi.exe for alpha ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixe s-postSP3/teardrop2-fix/tearfixa.exe As more information arrives I'll pass it along. Thanks to all the various unnamed sources for their information. Cheers, Russ
- Prev by Date: Alert: New Teardrop Attack
- Next by Date: Alert: Teardrop2 Attack - Update
- Prev by thread: Alert: New Teardrop Attack
- Next by thread: Alert: Teardrop2 Attack - Update
- Index(es):