I just went through this extensively with Novell, up to the point of having the issue declared "CRITSIT" which is their highest level an incident can be raised to. By setting the server to reject incomplete NCP packets and those with bad lengths, and also setting the NCP packet signature level to 3 (all of these must be set in STARTUP.NCF, before DS.NLM loads...setting these in SERVMAN will add them into AUTOEXEC.NCF, and you must cut and paste them into STARTUP.NCF) you will effectively kill the exploit. You will still see the utilization rise on the server if someone "attacks" the server, but that is merely the server rejecting the packet, and not processing it. (The server HAS to look at the packets coming to it...they are NCP (NetWare Core Protocol) packets, and to ignore them would effectively render the server useless.) All that can be done is to have the server reject it and not process it. The downside of this all is that the attacker doesn't have to be logged into the network, and there is no effective way to track the MAC address they are coming from, as the packets take on the MAC address of the spoofed connection. I would suspect thought that if you thought someone was attacking your servers, you could eventually figure out where that person is, and take appropriate administrative actions. But for Novell's part, there isn't much more one could expect them to do. Keep in mind that setting NCP packet signature to level 3 will prevent people using microsoft's client for NetWare from being able to log in. Sam "Jeremy M. Guthrie" <jguthrieat_private> on 04/12/99 11:37:18 AM Please respond to "Jeremy M. Guthrie" <jguthrieat_private> To: BUGTRAQat_private cc: (bcc: Samuel A. Morris) Subject: Novell Pandora Hack I had a friend show me the Novell TID: 2941119 about what Novell calls the "Pandora Hack". I suggests patching Netware to at least SP5 and setting client/server signatures to 3. I was under the impression that the signature fix did not take care of the issue. Comments???? It looks like Novell wants you to see the error messages... then figure out a corrective action against the attacker. Or I could be on crack. -- Jeremy M. Guthrie Network Administrator Certified Novell Engineer Custom Internetworking email: jguthrieat_private 6404 Odana Rd. Phone: (608)-663-8000 Madison, WI 53719 FAX: (608)-276-6406
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:23 PDT