On Sun, Jul 29, 2001 at 09:07:53PM -0400, Bill wrote:
> Mandrake 8.0 is s-m-o-o-t-h ! When the installed base of WIndows XP has
> gotten large enough for the raw sockets vulnerability to rear its ugly little
> head (http://www.grc.com) I think Linux is going to get a good shot at the
> desktop and I think Mandrake will be leading the charge.
Raw sockets are not the problem. Gibson is paranoid (probably with
good reason, but still).
Every IP stack has the option of presenting "raw sockets" to User
space applications. These raw sockets offer nothing more than the
ability for a user space application to dump raw packet data on the
wire without concern. By doing this, your workstation can "spoof" the
origionating IP, set any flags on the packet that the applications
wishes, and in general cause havok by sending any stream of octects
out any interface on the machine.
Unix boxen have offered SOCK_RAW for years.
Gibson's fear is that there will soon be MILLIONS of installed
WindowsXP users with PCs that they barely know how to use. Crackers
will enjoy the thrill of BO2k/Sub-7/... aka "rootkitting" Windows
boxes that only now begin to offer the ability to freely spoof
outgoing packets at a whim.
Microsoft isn't just blowing smoke up your bum:
http://www.microsoft.com/technet/treeview/default.asp?
url=/TechNet/itsolutions/security/news/raw_sockets.asp
HOWEVER, I agree completely with Gibson when he says Microsoft does
not understand security. My reservations deal with the basic structure
of both the Windows 9x/ME and WindowsNT architectures and the sheer
lack of concern regarding security at EVERY level within their model.
Everything, from easily loadable low-level device drivers running at
ring 0, to COM+ objects that have no coherent security, and
applications that actively permit buffer overruns due to sloppy coding
and no security auditing of closed-source software.
IIRC, NT4 and Win2000 have supported SOCK_RAW for quite some time. I
believe that any Winsock 2.0 provider can support SOCK_RAW in a
replacement IP stack (and many do). With the default IP stack in
WinNT/Win2k, you must merely be logged in as adminstrator (normal
users can't use SOCK_RAW sockets).
To enable raw sockets for everyone on an NT or Win2000 box, you merely
set the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Afd\Parameters\DisableRawSecurity DWORD 1
Reboot (or wait an hour until the user reboots anyway), and anyone can
use raw sockets on that box.
Microsoft's security plans seem to be based on levels of "trust" - not
fixing the basic security flaws in their product. Not just "cracks" or
chinks in their armor, but blatant disregard for security concerns at
every level.
IMHO, Gibson is generally spreading FUD about raw sockets.
Linux/Opensource can do without FUD mongering.
Upstream providers should be filtering traffic that does not
origionate from their own netblocks at the ingress from every customer
peering. If every provider did this, spoofing traffic would be
impossible... but DDoS would still be viable. Only proactive traffic
pattern monitoring can catch DDoS attacks when they start.
- Ian C. Blenke <ian@blenke.com> <icblenke@nks.net>
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:19:15 EDT