Network security on AmigaOS with MiamiDx or any other stack

[mikeymike]

   * - WARNING everyone. Do not start an argument about memory protection.

?

The next bone-headed discussion I hear on the lines of 'whether AmigaOS needs memory protection or not' is going to result in casualties.  Some people appear to just want to kick off another discussion on the subject.

I would put a smiley here but I'm not really joking.

[xyth]

Well I'm feeling quite paranoid now...

I have no idea what half the stuff you guys talked about is.

I use MiamiDx, IBrowse, YAM, DOpusFTP, occasionally AmIRC (very unstable), over a 33.6 modem connection.

I don't have AWNPipe installed though.

I'm pretty much a novice at the internet (you'd probably noticed), should I be worried about this stuff?  Should I be using a firewall, and how would I set one up?

How does one avoid using FTP?

[JetRacer]

xyth: Don't worry man. Seriusly. The risc of a hacker (read: cracker) being able to know his head from his ass in AmigaOS is near zero. It's like worrying about e-mail worms on your C64, if you get my drift.

If you don't get into someones attention span by writing the wrong things in the wrong IRC channel, then you have nothing to worry about.

(edit) This does not apply to *nix, Windoze or anything running some kind of server; such are hacked by the thousands using automated software and therefore needs proper counter meashures. (/edit)

[T_Bone]

lempkee wrote:
t_bone:why are u saying such? , please check before you state such.

Is there a new version of Miami I missed? :-o
Seriously, I wouldn't be concerned because the security page is "a whole year old."
If this were Windows, it'd be a different story.

[lempkee]

tor: ok it looks like all the answers have been posted ;( ..abit too slow (me) ..

i also talked to cyborg (thw owner of the security page) and he is still active , but there havent been any needs for updating the page (according to him) , he also posted some info (on irc) but he went offline and i was away ...ARGH! ;(

for port tools , you seem to use the same as me.


t_bone: sorry , but it seemed like a troll statement, anyway i explained what is happening atm in the amiga world of tcpip stacks.
but i guess u are right , if its in dev and not out...then you shouldnt wait for it either...or?



pps:lets hope cyborg comes and visit us here at amiga.org , why he didnt post was because of "he had to register to post here" ....

[tormedhammaren]

@Piru:
[qoute]
ping flood protection is pretty much useless, as the packets get processed until they enter the filter part. It takes considerable resources to process the packets before they "flow down" to part where the filtering is made. Enough fragmented packets with packet reassembly, and the rate of packet I/O, packet reassembly and filtering will consume all CPU time and internal buffer memory. [/quote]
The ping flood protection sends all packets to NIL: ? The
problem is that the Amiga features much less processing
power compared to more modern system. So you can
easily DOS it from just one host if bought sides have high
bandwidth.

Also, if you are unlucky enough to piss up some scriptkiddie with a botnet, you could be in real trouble. With his flood the incoming traffic will be so enormous that it will prevent any other legit traffic from reaching the system anyway, and all incoming traffic will stop (including TCP streams, that will disconnect if the flood stays persistent). Usually this is caused by DDOS attack using a botnet (network of hundreds to thousands of hacked zombie windows machines controlled by the scriptkiddie).

Can scriptkiddies get that strong? Hope there aren't to
many of those..

- TCP ISN generator is a simple 64k ruler. It is child's play
to predict. (spoofing TCP connections)

This means that you can make a system belive
that you are a trusted host. This is what Mitnick did
to break into Sutomu Shimomura's machine.

- ftpd 1.2 (Oct 3 1994) has a crash bug in STAT command:

What happen is that ftpd STAT command blindly assume fopen() succeed, that is, it doesn't check against NULL result from the call. If NULL is returned ftpd will happily peek & poke zeropage, eventually causing trashing of execbase pointer (absolute address 4). This problem is exploitable as anonymous user.

I won't provide an example on this public forum, for obvious reasons.

In which products is this ftpd used? Is there a fix?

@lempkee:
On which server/channel does Cyborg hang out?
Yes, Cyborg must come and play on amiga.org to!
How does nmap run on your machine? On my, it's dead
slow.

[Piru]

@tormedhammaren

The ping flood protection sends all packets to NIL: ?

Yes. Well, not literally NIL:, the packets are just discarded. But those packets still need to pass thru SANA2 driver and IP level before they can be detected and dropped. This code pathway is quite long so it can cause problems, at least with slower systems.

The problem is that the Amiga features much less processing power compared to more modern system. So you can easily DOS it from just one host if bought sides have high bandwidth.

Right. With modern hardware simple pingflood is not going to take the system down, instead all the bandwidth need to be consumed (usually with DDoS).

Can scriptkiddies get that strong? Hope there aren't to many of those..

They are that strong already. Some years ago there was problem with kiddies crashing irc servers and/or causing netsplits and then riding the split to perform channel takeovers. Some very large websites have been taken down, even most DNS root servers simultanously.

In fact, some of the modern viruses turn the Windoze boxes into these zombies, part of the botnet. Another common way is to send out trojan via email that patch the system and add it as node to such network.

There is some speculation that these viruses would in fact be spread by spammers to generate large networks to send out spam email and to DDoS antispam services. At least three large AS services have already been  shut down due to enduring DDoS attacks.
 
Another wild theory is that these viruses are in fact made by NSA to test large scale electronic warfare. It would be of interest to USA since they're most vulnerable for such attack, if ever performed as an act of war or terrorism. The date triggered self destruct of the viruses backs up this theory somewhat, since this way the effect of the virus is limited.

This means that you can make a system belive that you are a trusted host. This is what Mitnick did to break into Sutomu Shimomura's machine.

Right. Mitnick used this method to spoof trusted LAN host and used rsh service to execute a command to inject "+ +" to root's .rhosts file. This way, all hosts could rlogin as root or execute remote commands as root. There is a description of the hack on usenet by Tsutomu Shimomura.

In which products is this ftpd used?

To my knowlegle all AmiTCP/IP versions available (that include the ftpd).

Is there a fix?

No fix is available. However, you can disable anonymous access to limit the threat to trusted users only.

I would still recommended you use some other ftpd instead.

[lempkee]

@lempkee:
On which server/channel does Cyborg hang out?
Yes, Cyborg must come and play on amiga.org to!
How does nmap run on your machine? On my, it's dead
slow.

tor: he is on #amigafun (german channel) , or you can reach Yenzy on Arcnet #morphos .
Nmap is horrible slow when active here , never tried it on 040 but i guess its even slower. .  ;(

cheers

[tormedhammaren]

@lempkee:
Thank you. I've been looking for him.

@Piru:
Thanks for your good answers.

Regards
Tor

[AmigaMance]

Hey, very informative thread!
I have some questions regarding this issue, if i may..

Set your firewall not to reply to ICMP pings. Nobody is immune to DoS attacks, but at least this way it'll take powerful attack to saturate your whole bandwidth.

 My router's firewall doesn't have a specific setting for ICMP pings, so i blocked all incoming ICMP traffic. This had a side effect: Not only i stopped to respond to pings but i lost the ability to ping others as well (like servers etc) and i don't like that. Therefore i disabled this setting.
 The manual of my router mentions that it has built-in ping-flood protection, thus i should be fine? :-?

Do you know how can I test if a MUI app is vulnerable?

 I'm not sure iirc, but one app which is vulnerable is an old IRC client. Probably BlackIRC and some other very old MUI progs.

Just take care that you don't use (mount) the AWNPIPE and you're safe.


APIPE: has similar problem, so take care you don't mount either AWNPIPE or APIPE:.

 Hmm... I don't mount any of these devices at startup, BUT i use a nifty feature of MCP called AutoMount. It mounts devices only on demand. That is, if something makes a call to a device which is not mounted, AutoMount searches the storage/dosdrivers/ directory and the devs:mountlist and mounts the appropriate device automatically if it exists.
 My question is: Is it possible for a hacker to take advantage of this feature and mount these devices from his computer or not?

- ftpd 1.2 (Oct 3 1994) has a crash bug in STAT command:

What happen is that ftpd STAT command blindly assume fopen() succeed, that is, it doesn't check against NULL result from the call. If NULL is returned ftpd will happily peek & poke zeropage, eventually causing trashing of execbase pointer (absolute address)

 If i don't run an FTP server on my Amiga, should i worry about this at all?
 I have disable the ftp service in db/services, along with other services which are not of any use to me.

[darksun9210]

excuse my ignorance, but i thought the amiga was faily well shielded from the rubbish floating around the internet as none of its IP stacks implement modern "services". just the basics needed to function. plus that my machine is not running windows, nor based on an intel chip. or thinking about it internet exploder, nor firefox.

exactly _what_can_ someone on the outside do to my machine?

 :-?

its not like its going to be a zombie bot or filled with spyware?

[AmigaMance]

 Just one bump in case someone from a different timezone can answer some of my questions.