1: Confirmation that a large number of sites have already
experienced spammers smtp relaying via insecure wingates. Numbers
relayed have ranged from "a couple of thousand" to "over 20,000"
messages.
2: Ditto on nntp. This seems to be a favourite method for porn
spammers in particular.
3: Ditto on IRC. I have a mirc IRC abuse script onhand which quite
happily searches for wingates and attaches one floodbot per
gateway. Tests have shown that upwards of 100 wingates can quite
easily be used by a single attacker.
4: Open wingates are also wide open for any savvy attacker to
attach to machines behind the wingate "firewall".
5: Although the primary attack method is to use socks port 1080,
the same techniques are easily used on port 23, so firewalling
socks is a temporary solution at best.
All of these are worrying, given the number of people who attack
sites perceived as participating in spam.
There's a fairly good set of web pages on securing wingate at
http://www.deerfield.com/wingate/secure-wingate.htm - this appears
to be the Wingate home site.
The Undernet IRC network has had to temporarily lock out users from
2 large cable networks in Canada and the USA due to attacks against
network admins. Those attacks were at one point coming from upwards
of 200 different IPs and seemed to be driven by one individual.
Given Wingate's lack of logging facilities, there is almost no hope
of tracing attackers who initiate denial of service actions like
this, so ISPs may well face having this kind of action taken
against them by IRC (or other) networks in order to maintain
usability of their systems. The end result is chaos on helpdesks.
Wingate's authors apparently are continuing to ignore the abuse
issues associated with default settings.
How long before they get the message?
AB