DoS (Info and Protection)

[NetSyn]

Nuke Information

SMB
Aliases/variants: Server Message Block (SMB) logon attack
Affects: Windows NT4
Symptoms: System hang or restart.

bonk
Aliases/variants: boink, newtear, teardrop2
Affects: Windows 95 / NT4
Symptoms: Blue screen freeze and crash. If you have been patched since 12/97 against the other nukes below and as of 1/8/98 suddenly started to get the blue screen, you're probably being "bonked".

land
Affects: Windows 95 / NT / 3.11, many others
Symptoms: Freeze and crash. You're probably being "landed" if you were nuke-safe until mid-November or if you're already patched against the other nukes.

teardrop
Aliases/variants: tear, TCP/IP fragment bug, overlapfrag bug
Affects: Windows 3.1/95/NT, Linux (before 2.0.32 and 2.1.63)
Symptoms: Immediate crash or reboot. If you know you're safe against "winnuke" and "ssping" below and you still crash, you are probably suffering from either "land" or "teardrop". If you just get disconnected it's probably "click".

click
Aliases/variants: [the original] nuke, ICMP nuke, ICMP_REDIRECT or ICMP_DEST_UNREACH spoof, WinNewk/WinNewk-X
Affects: All IRC users unless protected by firewall or other filter.
Symptoms: You are disconnected from the IRC server but otherwise your connection to your ISP is fine. Your computer does not crash. Others will usually see you quit with the message "Connection reset by peer" although other networking related error messages are also possible.

ssping
Aliases/variants: jolt, sPING, ICMP bug, IceNewk, "Ping of Death".
Affects: Windows 95 / NT, and many others!
Symptoms: Computer locks up, usually requiring a reboot (reset switch such as ctrl+alt+del doesn't work). After restart, computer runs as usual.

WinNuke
Aliases/variants: Windows OOB bug.
Affects: Windows 95 / 3.11 / NT
Symptoms: "Blue Screen" (virtual device driver) error. Computer usually recovers, but Internet connection doesn't, requiring reboot (usual shutdown procedure should work). May also cause computer to lock up.

ICMP flood
Aliases/variants: ping flood, ICMP_ECHO flood
Affects: all modem connections
Symptoms: Modem lights go berserk indicating overflow of information, Internet applications get very slow, after 15-60 secs you get disconnected (from your server or even your provider). Everything is fine after reconnect (unless you get flooded again), no crash or reboot.

smurf
Affects: whole provider or IRC server
Symptoms: Imagine ICMP flooding for an entire provider or server. Everybody connected gets bogged down and kicked off, attack can last for hours or days.

ATH0
Aliases/variants: +++ ATH0
Affects: many types of modems
Symptoms: Modem gets disconnected.




Patches

Patches for Microsoft Windows 95
(These are the patches for OOBNuke, Winnuke, Jolt, SSPING, IceNuke and TearDrop)

Use the following steps to upgrade to Winsock 2.2 and patch the Internet bugs in Windows 95. Be sure to perform these steps in the order as they appear.

1. Install the MS DUN 1.2 Upgrade (MSDUN12.EXE ftp://ftp.kappa.ro/pub/Windows/95-98...es/msdun12.exe ) and reboot.
2. Install the Winsock 2.2 Upgrade (WS2SETUP.EXE ftp://ftp.kappa.ro/pub/Windows/95-98...s/ws2setup.exe ) and reboot.
3. Install the Winsock 2.2 Patch (VIPUP20.EXE ftp://ftp.kappa.ro/pub/Windows/95-98...es/vipup20.exe ) and reboot.
4. Install the Land patch (VTCPUP20.EXE ftp://ftp.kappa.ro/pub/Windows/95-98...s/vtcpup20.exe ) and reboot.
5. Rename VNBT.386 to VNBT.BAK or use the VNBT.386 Fix (VNBT.EXE ftp://ftp.kappa.ro/pub/Windows/95-98...tches/vnbt.exe ) and reboot.

Patches for Microsoft Windows NT

1. Install Service Pack 3 (NT4SP3_I.EXE ftp://ftp.microsoft.com/bussys/winnt...40/ussp3/i386/ )
2. Install the Bonk, Boink and Teardrop2 patch TEARFIXI.ZIP (ftp://ftp.kappa.ro/pub/Windows/NT-4.0/TEARFIXI.zip) . This patch supercedes the ICMP-fix, OOB-fix, Simptcp-fix and Land hotfixes.

ATH0 Exploit


Modems known to be affected:
Logicode 28.8
Supra 33.6 (internal)
Diamond Supra v.90
Diamond SupraExpress 56k
Noblelink 56k Plug and Play
Zoom Internal 56kflex/v.90 (model 2812?)
A/Open(acer) 56k
(Many more here, but only this has been tested)


Solution 1
The fix is for Windows 9x but I'm sure is easy enough to figure out how to fix this problem on other operating systems just by looking at the fix itself.
Run regedit and look for the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Modem\0000

Create a string value in that key called UserInit and give it a value of s2=255 (if your modem is still vulnerable, try useing a value of s2=127).
Now reboot the computer and your modem will be patched.


Solution 2
Add "ATS2=255" in your modem init string.


Then again u can always run a trust firewall (which i think is a must!)



Tiny Personal Firewall 2.0.15 - Tiny Personal Firewall (TPF) is a powerful and free utility designed to protect home cable and DSL connections. TPF provides multi-layer security protection in controlling which applications are allowed to transmit and receive data, MD5 Signature Support to ensure that Trojan horse applications cannot communicate, stateful filtering based on SRC/DST IP address, port and application to determine if incoming packets were requested, remote access to logs and statistics, and intrusion detection. This build corrects TDI errors.
http://download.cnet.com/downloads/0...05-110-6313778

Sygate Personal Firewall 4.2 Build 872 - Sygate Personal Firewall is a bi-directional intrusion-defense system for your personal computer. It ensures that your computer is protected from hackers and other intruders while preventing unauthorized programs on your computer from accessing the network. Sygate Personal Firewall makes machines invisible to the outside world. It works on computers connected to a private network or the Internet. This program assures that your business, personal, financial, and other data is safe and secure.
http://download.cnet.com/downloads/0...05-110-8593035

NetWatcher 2000 - This utility runs in the background while you are connected to the Internet, monitoring queries for information. If it detects one, it alerts you and gives you the option of immediately closing the connection. The program also logs the intruder's IP address, port number, and host, letting you report the intruder to their Internet service provider
http://www.pcworld.com/downloads/fil...leidx,1,00.asp

ConSeal PC Firewall - This personal firewall lets you create rule sets that dictate what data can access your PC. It protects you from Internet threats, as well as from applications on your network. The firewall lives beneath your operating system, and any offending packet or data is automatically dismissed. You can define what type of data you want to avoid, or you can put the firewall in learning mode, which will create a rule set based on your actions. If an unknown packet tries to access your PC, the program lets you know and waits for your permission. The program also includes a Whois link for retrieving remote-host information
http://www.pcworld.com/downloads/fil...leidx,1,00.asp



These are just some protection ideas against simple DoS but even the most simple things can be very good.
i suggest if u run a windows box u fix the sploits ive listed above, and also install a trust worthy firewall

Then again theres the dreaded DDoS which no real cure can be downloaded to protect u from this.. My best advice against DDoS is dont let urself be a target by it by not going to any form of cheat program without usin some sort of proxy or redirect!

Most the info i found here was found by usin www.google.com and multiple webpages , way 2 many to list and its all just random data i thought ud like to hear if u wonder about DoS.

-NetSyn

[the_g_nee]

Great stuff NetSyn

If more of the people in the know spread their knowledge around,

then it would be better for all!

[NetSyn]

I got alot of negative points and positive points from this post, mostly positive but the few negatives seemed to this this was usless info mainly because they already knew this stuff... so what if u already knew it.. Not everyone does and there are many people vunerable to ath0 and other such DoS attacks that dont even know what they are... so if u already know this crap good for u, dont give me negative points for trying to help the few that dont.. cause thatll just cause me not to give out informations like this to the people who may need it

[{P²P}Apocalypse]

Well, I may have known some of it myself, but it was still a great post. I'm sure their are many more people in this world that know more than me and some that know less. We can all benifit from a post such as this. No reason for a negative antipoint. Sometimes I forget stuff. I always keep text copys of info such as this around for reference.
Good post and greenies for you post this info for all. New and old.

[micael]

Good post NetSyn.

[KorpDeath]

The Sygate information is old, though. The new version and the only version you should be running is 5.0. Otherwise very useful.

Good post, though.

[gold eagle]

good post.

[SilVerRusT]

Greattttt! post NetSyn...very informative for a newbie...heheheh..


SilVerRusT
(hi...ho...silver away!)

[BrainStop]

Good post, NetSyn!

As far as firewalls are concerned, I personally like ZoneAlarm from zonelabs.com. Easy to use and pretty good. But anyway, that's just my opinion.

Cheers,

BrainStop

[Kindred69]

I am totally new to this stuff reading as much as i can and its posts like yours that help alot with a setting up a good base of information great post hope you keep posting more like this i know if you do ill be here reading them. Great info.

Kindred69