Printable View
I am just wondering what all of your opinions are on M$ decision to include user level access to the Berkly Raw Socket interface icluded in XP. I have several questions as fallows...
1. Was it a neccesary funtion to include?
2. Can we expect a new wave of PC based DOS attacks using the interface?
3. What can be done about "forged" malicious packets in the occurance of such an attack?
All right, I'd take time to write it all, but I'll go strait to the source:
Since all this "broo ha ha" was started by Steve Gibson (www.grc.com) why not take time to see the other (and true) side of the medal at www.grcsucks.com ... Scroll down to the Raw Sockets (XP) articles...
Ammo
microsoft says yes, some others say no.Quote:
Originally posted by Dygital
1. Was it a neccesary funtion to include?
i highly doubt it, but it is quite possible(probable IMHO) that you will see atleast a few DDoS progy's targeted directly at XP.Quote:
2. Can we expect a new wave of PC based DOS attacks using the interface?
well, if you mean forged as in the originating ip then at the ISP level they can make filters that will drop any packets that have an ip that is not in their network before it gets anywhere.Quote:
3. What can be done about "forged" malicious packets in the occurance of such an attack?
if you mean forged in terms of sending packets that say things they shouldnt(such as sending tons of SYN's, which would make the pc being DoS'd think you are requesting a connection), AFAIK nothing can be done. the pc recieving the requests will just keep sending back ACK/SYN packets and waiting for a responce. in the mean time its queue will fill up and it will not be able to accept valid incomming connections. atleast that is my understanding and i dont claim to be the all knowing god of networking, so please correct me if im wrong.
i would also like to add that from what ive read on grcsucks.com, the tend to ignore as many important points as gibson does. for instance: in http://www.grcsucks.com/grcdos2.htm the responder constantly talks about how "Raw Sockets have been around for years in Unix based operating systems, and although many script kiddiots have made the move, they have yet to take over the world with the functionality of it"...he leaves out the fact that DDoS attacks are Distributed, so you need compromised systems. windows is popular with people who dont know what they are doing so it is easy to get a few compromised win boxes where most unix users are more security-aware, so its a bit harder(plus its less popluar, hence a smaller number of boxes to try to compromise).
Raw sockets have been around for years, but only to root, not to every user on the computer. Imagine some script kiddie getting 300 broadband XP home users and attacking any website with an unstoppable denial of service attack. The only thing stopping it would be the will of the attacker. People wont complain about it until it is happening every day. Maybe if microsoft were to be attacked with their own stupid security flaw this would cause them to make a change. Not having raw sockets would not prevent the denial of service attack, but at least you could have filtering ability that would allow you to get back online. From http://grc.com:
"The fact that the technology of a fence or a lock is imperfect, does not obviate that measure's security utility. But this was exactly the defense I heard today for not bothering to improve XP's security. Can any locked car be stolen? Of course. So are locks on cars therefore pointless? Of course not. Why increase the difficulty of exploiting XP's Internet connectivity in one way, when there are other ways to exploit it? Because fences work . . . and full raw sockets are too easy to use."
At the risk of upsetting someone, MS has never really done the security thing very well. I don't think they really understand it, take file and printer sharing for example, "hello! the system is wide open by default".
DDoS's are popular becasue they are easy and and don;t take too much preperation, especially with root kits and the like.
MS is not going to do anything about this even if it turns epidemic. The next version of Windows will probably have raw sockets too.
I can picture the average clueless user going "Drrrrr, this XP sure runs slow on my AMD 1800 `XP' and 512 MB DDR RAM, I guess I need to upgrade". Meanwhile Mr. Malicious Process goes on undisturbed. Will be good for folks in the PC hardware retail business though :D.
well till now i have yet to see the world get doomed with MS into of raw sockets into XP. I have setup a network of 10 Xp systems all of which have net acces in a 100 mbps LAN. As far as a DOS attack goes, well a strict group policy and a good hardware/software base firewall dose seem to good bet as to stopping them. Although one feature that i see as a weak link is the automatic start up of the Remote Astitance Service on a XP box.
XP starts up remote assistance by default?
Even the Pro version?
[Not a problem for me cos I've disabled it, but its worrying that MS seem to let all kinds of services start up without the common user even knowing!)
well at the risk of heart breaking u my friend. Though by default Xp is resource hungry. But it is not that u always need a killer system to run it. We use a amd K6-2 500mhz with 64mb pc 100 ram of which 8 mb is shared by the graphics card . this system is our quake2 server, mail server, bastone host, intranet web server and also the print server !!! this system has a avg uptime of 88.76% since it was setup-- 5.5weeks. Giventhe ultra low config i'd say it value for money and hardware. I do admit it is slow but a shot of 128mb ram does wwonders for this system. so it not only about tweaking but also making the right choices. Any way it work for us.:rolleyes: :D
I run XP on an AMD K6/2-450 with 128 MB ram, 8 of which is used for the onboardv graphics!