RE: Raw Sockets in WinXP

From: Robert D. Hughes (rob@robhughes.com)
Date: 07/29/01 

Subject: RE: Raw Sockets in WinXP 
Date: Sun, 29 Jul 2001 09:01:06 -0500
Message-ID: <B95B566BD245174196CA4EE29E581883092BBF@robhughes.com>
From: "Robert D. Hughes" <rob@robhughes.com>
To: <SECURITY-BASICS@securityfocus.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

But again, that isn't the real issue, though Mr. Gibson claims it is.
The real issues are:

1) Very few ISPs do egress filtering on their routers. If they'd
implement that, then spoofed IPs would immediately become a trivial
issue since they'd never make it past the edge router.
2) Windows users tend to be at the low-end of the computing awareness
scale, which makes it easier to infect their machines. "Oh look, this
person I've never heard of with the terrible
english/french/spanish/what-have-you loves me and has sent me a word
.doc/program/screen saver to show me how much they love me! I'll run
it right away!"

Now, if we educate the windows population and get ISPs to do what
they should to be good netizens, then I would estimate that 98% of
the problem would evaporate, at least as far as spoofed packets and
windows boxes blowing chunks all over the net are concerned.

Further, we have these problems now. Just because you can or can't
spoof a packet has nothing to do with DDoS'ing a site. Filtering the
packets at the victim's router doesn't do any good, since the pipe is
still flooded and the site is still taken off-line, which is the
point. Even if you can get your ISP to filter the packets at their
routers, its still a lot of packets on the network that shouldn't
have made it there in the first place, though maybe, just maybe, if
the sources aren't too wide spread you can get the site back on-line.

- - -----Original Message-----
From: Jeff Smith [mailto:JSmith@Dentrix.com]
Sent: Tuesday, July 24, 2001 6:12 PM
To: 'Gregory_DeGennaro@csaa.com'; 'SECURITY-BASICS@securityfocus.com'
Subject: RE: Raw Sockets in WinXP

The problem raw sockets as I see it this. Let say I am "h4ppy
h4ck3r" and
I get 30 people to run my cool "Joke" porgram that is actually a
transport
to my latest DDOS tool. Before raw socket I would have had to
install a new
network driver to spoof the packets, now because of the lax TCP stack
I can
fake anything I want straight from my tool. The poor people that
were
infected would never know. Now lets say i right a new *nix joke
program and
get 30 people to run it. First off I cannot think any 8nix user that
would
run an untrusted program. Most Linux user anyways like to compile
the
programs themselves. I view it as an educational issue. *nix is
harder to
use therefore the people who use it are more aware of what they are
doing.
(I know this is a generalization) Windows 9x/ME tend to draw a more
mom and
pop type of crowd. They dodn't care about TCP stacks, fragmentation,
secotr
size, etc. "MOST" windows user what to read their email, surf the
web, open
elf bowling, and the latest flash program. If the windows community
does
not want to learn about the dangers that is fine, but when they bring
down
Yahoo or eBay or UnclebobsWebSiteOFun.Com they should be held
accountable.
If I shoot a gun in the air and the slug kills someone 2 miles away
and I
still responisble even though I didn't mean to hurt them.

Jeff Smith
IT Specialist

- - -----Original Message-----
From: Gregory_DeGennaro@csaa.com [ mailto:Gregory_DeGennaro@csaa.com]
Sent: Monday, July 09, 2001 12:43 PM
To: rob@robhughes.com; john@iplicjian.demon.co.uk;
SECURITY-BASICS@securityfocus.com
Subject: RE: Raw Sockets in WinXP

I have to agree, Mr. Gibson is worry to much about raw sockets. He
appears
to be the only one. Besides that, when has Microsoft products ever
been
secured. Especially, since the *nix (and Apple) crowd tends to hate
Microsoft. No computer is ever safe and should be protected as well
as
monitored to deter unauthorized accesses.

Like you said, the *nix community has been spoofing addresses for
years.
What major difference will these raw sockets make? Besides, I am
more
concerned with the hackers that use an *nix box than those script
kitties
that use a WindowsXX box.

" The best firewall, is a pair of wire cutters!! ... :-)"

- - -----Original Message-----
From: Robert D. Hughes [ mailto:rob@robhughes.com]
Sent: Friday, July 06, 2001 2:16 PM
To: John I. Stephen; Security Mailing list
Subject: RE: Raw Sockets in WinXP

He won't be able to do anything *to* an XP box. That isn't even the
issue.
The issue is that he'll be able to use raw sockets to spoof source
addresses,
something win2k, Linux, *BSD and every other non-toy OS allows now. I
do
agree that given the ignorance (well, hell, let's call it what it is:
idiocy,
or the refusal to learn) of the average user when it comes to
anything like
raw sockets, virii, or any other security related issue as they
blithely
open
attachments "just to see what it is", we'll see some increase in the
background noise, but its still nowhere near the end of the world, as
this
Mr. Gibson would have you believe.

- - -----Original Message-----
From: John I. Stephen [ mailto:john@iplicjian.demon.co.uk]
Sent: Thursday, July 05, 2001 11:08 AM
To: Security Mailing list
Subject: Raw Sockets in WinXP

Steve Gibson's recent mailshot landed in my in-box and I have just
spent 30
minutes going through his article on Raw Sockets in WinXP
( http://grc.com/dos/winxp.htm) and his notes from the subsequent
conversion
with Microsoft ( http://grc.com/dos/xpconference.htm).

Some of you have very strong views as to Steve's knowledge of the
subject of
security and have suggested that all he is doing is ranting for
publicity
reasons. However, if the text of Microsoft's response is accurate, no
one
there is suggesting that he is wrong, merely that Microsoft see no
point in
securing Raw Sockets as a determined 'malicious hacker' would always
find a
way-in.......(might as well leave my car unlocked and the front door
unlocked by that reasoning).

Assuming that a user has not deployed a personal firewall, malicious
code
monitoring, nor anti-virus software, do you agree that the RISK will
greatly
increase as a result of access to raw sockets? What will a malicious
code
write be able to do against XP users which he cannot presently do
against
the 95/98/ME population?

John

Rob Hughes
Enterprise Management Specialist
Voice (H) (972) 918-0980
Voice (W) (972) 378-3277 ext. 204
Voice (C) (214) 282-7996
Email rob@robhughes.com, rob.hughes@ismanaged.com
___________________________________________

"The reward of a thing well done is to have done it." -- Ralph Waldo
Emerson

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBO2QXISpKBXtI7tdREQKX3ACghIZCSAeD36I14x2ODPsp2C5BwBcAniAx
3sWLHiedDHefZQkD7q8AgVht
=06x6
-----END PGP SIGNATURE-----

Relevant Pages

  • RE: MS05-019 Windows XP SP1 issues with raw sockets (nmap problems) and MTU
    ... In the security update MS05-019 there has been a change to RAW sockets ... crafted TCP and some UDP packets over RAW sockets. ... The same behavior is a part of Microsoft Windows XP Service Pack 2 ...
    (microsoft.public.security)
  • RE: Raw Sockets in WinXP
    ... Subject: Raw Sockets in WinXP ... It is a hobby and therefore does not get a lot of time for "security". ... updates the .dats and takes care of the *nix firewall/ids at home. ...
    (Security-Basics)
  • RE: Raw Sockets in WinXP
    ... Subject: Raw Sockets in WinXP ... mom, pop, and kiddie for their ignorance may not be the answer. ... updates the .dats and takes care of the *nix firewall/ids at home. ...
    (Security-Basics)
  • RE: Raw Sockets in WinXP
    ... Subject: Raw Sockets in WinXP ... The problem raw sockets as I see it this. ... *nix is harder to ... when has Microsoft products ever been ...
    (Security-Basics)
  • Re: Raw Sockets in WinXP
    ... Subject: Raw Sockets in WinXP ... How many newbies get a linux distro and start doing everything as root, ... never using a normal account? ...
    (Security-Basics)