Re: [SLUG] Insight on Code Red II

• Next message: Derek Glidden: "[SLUG] Linux 10th anniversary"
• Previous message: Ian C. Blenke: "Re: [SLUG] Hard coding Full/100"
• In reply to: Wyly Wade: "RE: [SLUG] Insight on Code Red II"
• Next in thread: Doug Koobs: "Re: [SLUG] Insight on Code Red II"
• Reply: Doug Koobs: "Re: [SLUG] Insight on Code Red II"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Why do people continue to quote Gibson (www.grc.com) and state that raw
sockets in WindowsXP is the end of the world?

Unix boxen have had raw sockets forever. Raw sockets permit spoofed traffic -
it simply has no effect on denial of service (DoS) attacks (other than masking
where the attacks origionate). In fact, if traffic were spoofed in a true
distributed denial of service (DDoS) attack, some of the traffic would not
make it outside of the origionating network (upstream filter of offnet
origionating traffic). IP Fragmentation abuse, flag fiddling, and free form
IP packet attacks are possible with raw sockets. So what else is new?

Windows NT has raw sockets. Administrators can use it, normal users "can't"
(unless you set the correct registry flag and reboot: then anyone can). You
can load NDIS drivers and layer-2 packet shims without much regard to
security as well. Why is native raw sockets so frightening?

I usually enjoy some of Cringley's rantings, but I can't abide his
support of Gibson in screaming chicken little about raw sockets.

> -----Original Message-----
> From: Miller, Matt [mailto:Matt.Miller@expanets.com]
> Sent: Thursday, August 09, 2001 1:28 PM
> To: 'slug@nks.net'
> Subject: RE: [SLUG] Insight on Code Red II
>
> Up until recently*, almost all DoS attacks have
> come
> from compromised UNIX based servers. Attached are some links from SANS:
>
> * until of course microsoft deployed a raw sockets tcp/ip stack with
> Win2000

Windows boxen have been trojaned all to hell over the years. Remote
control packages like BackOrifice, NetBus, SubSeven, and others aren't
all that "recent" as you might believe. Windows zombies have DoSed
far before the Trinoo port to Windows... You don't need raw sockets
to DoS or even DDoS - massive traffic generation from thousands of
hosts will merely deluge the target. For active IP stack exploits,
you need often need raw sockets - but this isn't DoS by default.

Why are raw sockets so frightening? Because there are MILLIONS of PCs out
there that *might* run WindowsXP someday (stress the *might*) that can
suddenly do the same things as any Unix host has for years? Or is it
the thought of the broken WindowsXP security model on MILLIONS of PCs
permitting massive volumes of traffic to be spoofed, abused, and otherwise
generated on demand.

Please, help enlighten others about the sheer ignorance of screaming foul
about raw sockets. We should be concentrating on IPSEC, IPV6, 802.1x, and
anything else that can help secure/lockdown/fix the Utopian designed
IPV4 network as it stands.

- Ian C. Blenke <ian@blenke.com>

• Next message: Derek Glidden: "[SLUG] Linux 10th anniversary"
• Previous message: Ian C. Blenke: "Re: [SLUG] Hard coding Full/100"
• In reply to: Wyly Wade: "RE: [SLUG] Insight on Code Red II"
• Next in thread: Doug Koobs: "Re: [SLUG] Insight on Code Red II"
• Reply: Doug Koobs: "Re: [SLUG] Insight on Code Red II"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:00:28 EDT