ZigStack- Hardening your TCP/IP Stack

#1 ZigStack v.3

Hardening your TCP/IP Stack (against DoS-Attacks) of WindowsNT/2K/XP/2003-based workstations and servers.

Zitat

The TCP/IP protocol suite implementation for Windows NT/2K/XP/2003 obtains all of its configuration data from the registry. This information is written to the registry by the Setup program. Some customer installations may require changes to certain default values. To handle these cases, optional registry parameters can be created to modify the default behavior of some parts of the protocol drivers.

Es ist ein comandline Tool ohne Guy.
Dies dürfte den verwöhnten win-User erstmals abschrecken.Vielleicht wird mal später aber auch eine Guy hinzukommen.

http://xaitax.de/stuff.html

Gruß
Ajax

#2 Hört sich gut an - nur leider ist es etwas dürftig dokumentiert, so daß man nicht genau weiß, was das Tool macht.

R.
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#3

Zitat

Hört sich gut an - nur leider ist es etwas dürftig dokumentiert, so daß man nicht genau weiß, was das Tool macht.

Sorry Robert,ich war mal wieder zu sparsam mit dem Papier
methods

Zitat

-s

This registry value causes
Transmission Control Protocol (TCP) to
adjust retransmission of SYN-ACKS.
When you set this method, the
connection responses time out more
quickly in the event of a SYN attack (a
type of denial of service attack).

In a SYN flood attack, the attacker
sends a continuous stream of SYN packets
to a server, and the server leaves the
half open connections open until it is
overwhelmed and is no longer able to
respond to legitimate requests.

-d

TCP is allowed to perform
dead-gateway detection. When
dead-gateway detection is enabled, TCP
may ask the Internet Protocol (IP) to
change to a backup gateway if a number
of connections are experiencing
difficulty. Backup gateways are defined
in the Advanced section of the TCP/IP
configuration dialog box in Network
Control Panel.

An attacker could force the server to
switch gateways, potentially to an
unintended one.

-m

TCP attempts to discover either the
maximum transmission unit (MTU) or
then largest packet size over the path
to a remote host. TCP can eliminate
fragmentation at routers along the path
that connect networks with different
MTUs by discovering the path MTU and
limiting TCP segments to this size.
Fragmentation adversely affects TCP
throughput. It is recommended that you
set this method. When you do so, an
MTU of 576 bytes is used for all
connections that are not hosts on the
local subnet.

If you do not set this value to 0, an
attacker could force the MTU to a very
small value and overwork the stack by
forcing the server to fragment a large
number of packets.

-k

This method controls how often TCP
attempts to verify that an idle
connection is still intact by sending a
keep-alive packet. If the remote
computer is still reachable, it
acknowledges the keep-alive packet.
Keep-alive packets are not sent by
default.

An attacker who is able to connect to
network applications could cause a DoS
condition by establishing numerous
connections.

-n

This method determines whether the
computer releases its NetBIOS name
when it receives a name-release
request. This method was added to
allow the administrator to protect the
computer against malicious
name-release attacks.

NOTE: You must be using Windows 2000
Service Pack 2 (SP2) or later to use the
NoNameReleaseOnDemand method.

-r

This parameter controls RFC 1323 time stamps
and window-scaling options. Time stamps and
window scaling are enabled by default, but
can be manipulated with flag bits. Bit 0
controls window scaling, and bit 1 controls
time stamps. Both will be disabled.

-i

Internet Control Message Protocol (ICMP)
redirects cause the stack to plumb host
routes. These routes override the Open
Shortest Path First (OSPF) generated routes.

This behavior is expected. The problem is that
the 10 minute time out period for the ICMP
redirect plumbed routes temporarily creates a
black hole for the network where traffic will
no longer be routed properly for the affected
host.

-p

IP source routing is a mechanism allowing
the sender to determine the IP route that
a datagram should take through the network,
used primarily by tools such as tracert.exe
and ping.exe.

An attacker could use source routed packets
to obscure their identity and location.
Source routing allows a computer sending a
packet to specify the route it takes.

-t

This parameter controls the number of times
that TCP retransmits an individual data
segment (non connect segment) before aborting
the connection. The retransmission time out
is doubled with each successive retransmission
on a connection. It is reset when responses
resume. The base time out value is dynamically
determined by the measured round trip time on
the connection.

In a SYN flood attack, the attacker sends a
continuous stream of SYN packets to a server,
and the server leaves the half open connections
open until it is overwhelmed and no longer is
able to respond to legitimate requests.

-e

This parameter controls the point at which SYN
ATTACK protection starts to operate. SYN ATTACK
protection begins to operate when
TcpMaxPortsExhausted connect requests have been
refused by the system because the available
backlog for connections is set at 0.

In a SYN flood attack, the attacker sends a
continuous stream of SYN packets to a server,
and the server leaves the half open connections
open until it is overwhelmed and no longer is
able to respond to legitimate requests.

-y

This setting is used to enable or disabled the
Internet Router Discovery Protocol (IRDP). IRDP
allows the system to detect and configure
Default Gateway addresses automatically.

An attacker who has gained control of a system
on the same network segment could configure a
computer on the network to impersonate a router.
Other computers with IRDP enabled would then
attempt to route their traffic through the
already compromised system.

/disable

The selected methods will be undone.

Gruß
Ajax

#4 ne klar, das steht alles in der readme - mich würde interessieren welche Schlüssel auf welche Werte gesetzt werden.


R.
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#5 wer selbst hand anlegen möchte, den lege ich für den anfang (auf jedes OS anwendbar) dieses dokument an die hand

http://www.securityfocus.com/infocus/1729

da weiß man, was man macht und legt nicht nur irgendwelche schalter um

greez

#6 Jo im Linux kernel unter den proc schaltern kann man auch soviel rumschrauben hab ich aber noch nie wirklich gemacht hab das mal bei nem Kollegen gesehn immer wenn der jemanden gescannt hatte stand da 127.0.0.1 als absender Is natürlich irgendwie praktisch. Aber naja DoS attacks sind doch eigentlich aufwendig dann doch lieber von innen mit ner fork bombe oder so oderm exploit das macht doch sehr viel mehr spaß. Desweiteren hatte ich noch nie mit DoS probleme is mir au kein Fall bekannt wo das mal einer bei mir gemacht hat - eher insecure codes usw.
__________
E-Mail: therion at ninth-art dot de
IRC: megatherion @ Freenode

#7 Die kommenden Tage wird eine geupdatete Version erscheinen mit einer GUI. Damit der verowhnte User auch seinen Spass daran hat. Ausserdem mit ein paar neuen Features.

-xai

#8 Nun unter www.xaitax.de online.

-xai