There has been a lot written recently in the computer press about WindowsXP and the perceived
security issues that exist with a feature called "raw sockets." The issue is whether or not
WindowsXP machines can be used as anonymous zombies to run distributed denial-of-service (DDoS)
attacks. Anonymous is the operative word here. But if the zombies are anonymous, the sides in this
debate are anything but. On one side is Steven Gibson of the Gibson Research Corporation and on the
other is Microsoft. You can read each of their perspectives at the following links:
Allow me to summarize. Any computer can be used in DDoS attacks but "raw sockets" allow IP spoofing, sending a packet across the Internet with something other than its true IP address. If a malicious hacker can get control of a computer linked to the Internet he can launch untraceable attacks on any Web site he chooses. This certainly isn't a new phenomenon; Unix machines support raw sockets. In fact, they are the prime targets of hackers trying to launch DDoS attacks. But the big difference, in Gibson's mind, is that Unix is not a widely used public OS. WindowsXP could be distributed to millions of homes and small business - mostly novice users - providing hackers with many more potential zombies.
Microsoft would love to sell millions of WindowsXP copies. The company is probably counting on it, but says there is no significant danger of the zombification of WindowsXP. The contention is that to use a computer in a DDoS attack the hacker has to get into the system, which Microsoft says is secure. A default security system is set up in WindowsXP whenever the OS is configured to connect to the Internet.
So why are raw sockets even in WindowsXP? According to Microsoft, WindowsXP is adhering to a standard and to the requests of users. It also allows for a feature that enables home users to permit others to take over their computers over a network to fix technical problems. Sounds like a nice selling point for the home user to me.
So how much do Windows security administrators have to worry about this? Well, that depends. If your company's also has Web site it can be the target of a DDoS attack. Until recently there hasn't really been a lot that a Web site's managers could do to prevent a DDoS attack, but two new products could be the key to identifying attacks and minimizing damage. One is Asta Networks Vantage System®. According to the company's site, "Vantage System intelligently uses the existing capabilities of backbone routers to detect, locate and help network engineers effectively counter DDoS attacks and related network reliability problems." One-year-old company Mazu Networks will also be releasing a product to combat DDoS attacks, but details are currently unavailable. If the release of WindowsXP is going to result in increased DDoS attacks, looking into these and other products might be worth it.
If users in your organization are going to migrate to WindowsXP, careful configuration will probably prevent any malicious users from gaining access to the system. As long as you can trust your users not to launch DoS attacks of their own, there should be no problem.
An interesting byproduct to all this raw-socket discussion is the fact that Windows 2000 also supports raw sockets, particularly IP spoofing, through a command called IP_HDRINCL. Some experts believe that this will make Windows 2000 as likely a target as Unix machines for DDoS attackers. Network administrators, whether aware of this fact or not, probably prevent this possibility by having a safe, secure network.
This is sure to be an ongoing debate, and I am sure I left out some of each side's issues, so if you want the full story read the documents from Gibson and Microsoft to draw your own conclusions. This is definitely an issue to be prepared for. Also look for news on the subject on the searchWin2000.com site and in the newsletter.
About the author
Benjamin Vigil is a technical editor for searchSecurity's parent company TechTarget.
Did you find this tip to be valuable? E-mail us any feedback.
Internet Security: What Hackers Don't Want You to Know
By Jeff Crume
This book is a practical guide for anyone designing or administering a corporate or e-business network that runs across a number of platforms via the Internet. It will arm systems administrators with a thorough understanding of the problems of network security and their solutions, and thus help realize the tremendous potential of e-business.
This was first published in June 2001