COMMAND

    wingate

SYSTEMS AFFECTED

    Win95

PROBLEM

    Alan Brown  posted following  about problem  with Wingate.   As  a
    reminder, Wingate is a product to allow IP masquerading through  a
    windows 95  platform. Unfortunately   by default  it binds  to ALL
    network ports, including the WAN port.

    Wingate is being used extensively  by IRC abusers and is  starting
    to be  used heavily  by SMTP  abusers (ie,  Spammers) via the open
    Socks port on  dialup modem connections.   IRC abuse via  Wingates
    appears  to  be  increasing  exponentially  as more and more abuse
    scripts appear which use them.  Several seen recently will connect
    to  50  or  more  machines  in  order  to effect denial of service
    attacks  on  IRC  users  and  services.  Presumably the same rapid
    increase will soon be seen in SMTP relaying attacks.

    Open wingates are also wide open for any savvy attacker to  attach
    to machines behind the  wingate "firewall".  Although  the primary
    attack method is to use  socks port 1080, the same  techniques are
    easily  used  on  port  23,  so  firewalling  socks is a temporary
    solution at best.

SOLUTION

    Wingate  is  currently  a  disaster  for  anyone  trying  to track
    abusers.  It doesn't log connects by default, so the only way  the
    abusers can  be traced  is via  the netstat  command on the victim
    win95 machine - and most  win95 users being relayed through  don't
    have enough of a clue to be  able to do this, let alone know  that
    they're being used as pawns in attacks.  There's a fairly good set
    of web pages on securing wingate at:

        http://www.deerfield.com/wingate/secure-wingate.htm

    As of WinGate release 2.1b, the default behavior of the program is
    to not accept  proxy connections on  the "real" IP  address of the
    machine by default.    Mile Zimmerman made simple stopgap  fix for
    Cisco routers.   Adding the following  lines to your  access lists
    gives a simple and effective fix for the majority of the problem:

        router#config t
        Enter configuration commands, one per line.  End with CNTL/Z.
        router(config)#access-list <n> deny tcp any <user space address> <user
        space hostmask> eq 1080
        router(config)#access-list <n> permit ip any any
        router(config)#int <ethernet interface>
        router(config-if)#ip access-group <n> in

        <n>=a number between 100-199
        <user space  address>/<user space  hostmask>=The addresses  of
        your dialup users. Please noted that access list hostmasks are
        backwards  from   normal  convention,   so  a    255.255.255.0
        subnetmask would be 0.0.0.255.
        <ethernet interface>=the interface of the network segment your
        dialup users are  on.  The  last two commands  can be repeated
        for multiple interfaces.

    This blocks the standard SOCKS Proxy port for all machines inside
    the specified network mask.  Since there are VERY few instances
    where an ISP would find it desirable for a user to run a proxy on
    their dialup connection, this shouldn't disrupt any of your
    services.  Also, please note that there is an article posted to

        http://www.wingate.net/secure-wingate.htm

    on how to secure open WinGate's.