Home page logo

isn logo Information Security News mailing list archives

XP vulnerable to DoS attacks
From: InfoSec News <isn () c4i org>
Date: Wed, 24 Oct 2001 02:18:32 -0500 (CDT)


By Wayne Rash
October 19, 2001 

"It suffers from being very complicated," Steven Gibson says, trying
to explain why he thinks a little-known feature of some operating
systems could spell doom for businesses on the Internet. Gibson runs
Gibson Research, a highly regarded Laguna Hills, California, security
research firm. The feature is something called "raw sockets," and it's
in Windows XP, the newest version of Microsoft's Windows operating
system. Internet businesses could find their access to the world
buried in a flood of nonsense traffic that could exclude nearly
everything else.

Microsoft has yet to find a security hole it doesn't like, and Windows
XP is no exception. In this case, the raw sockets feature can allow
creators of denial of service (DoS) attacks untold levels of new power
in their quest to bring the Internet to its knees. This is because the
raw sockets feature makes it easy to command any computer running
Windows XP to unleash a flood of packets that will more efficiently
tie up the switches and routers upon which the Internet depends.

Though the Internet is full of operating systems that support raw
sockets, including all versions of Unix and Linux, Windows is the only
operating system that makes them available to any user with any level
of access. Unix and Linux require special rights to allow this feature
to be accessed, so it's less of a problem (although this feature is
regularly exploited with those operating systems, as well).

Now that it's common for users to have their computers attached to the
Internet at all times, it's also easy for DoS attack software creators
to infiltrate computers and implant the software that will effect the
attack. That means that if your employees are online all the time,
which is the case in most companies, your corporate network could be
used as the point of origin for an attack against a site on the

Microsoft has devoted a page on its Web site devoted to the issue of
what it calls hostile code, and suggests that the problem lies
there--not with Microsoft's implementation of raw sockets.

Additionally, the company points out that raw sockets are necessary
for some Windows features to work properly. "There are user-level
functions that use raw sockets," says Scott Culp, manager of
Microsoft's Security Response Team. He says that the fact that it may
be slightly easier for "hostile" code to take over a computer with raw
sockets is more than offset by the need for popular features such as
Microsoft's Internet Connection Sharing and the company's IPSec
implementation. Culp also notes that many of the activities Gibson
singles out as reason to avoid raw sockets can also be accomplished
without them. For example, Culp says that IP spoofing can be done with
little more than a device driver.

So why should you care about this potential security hole? Because it
could be your computers and network that are being used, it's also
your company that's responsible if you bring down the Web presence of
another company or a government agency. It's you who will be
explaining to the authorities why you allowed this, and then
explaining to your boss, and maybe to the board--if you last that

But what Microsoft ignores is the fact that all previous Windows
versions kept anyone from using that feature of TCP/IP except for
administrators. Instead, Microsoft suggests that it's hopeless to try
to protect security in the face of such hostile code. The company
doesn't address the idea that the raw socket issue in Windows XP makes
it even easier for this hostile code to wreak havoc on the
Internet--easier than it would be if Microsoft was using the previous
implementation (the one all other operating systems continue to use).

You can't do much about Windows and its security holes until Microsoft
takes the problem seriously, so it's up to you to take other steps.
For example, make sure you have a tested firewall. Purveyors of DoS
attacks can't load your network up with attack software if they can't
get in.

While you're at it, make sure your firewall also keeps applications
from accessing the Internet without permission. That's how DoS works,
after all. And, of course, think twice about upgrading anything to
Windows XP until you have all the protections in place and tested. Not
only will this keep you from unknowingly assuming the liability for
hosting a DoS attack, it will also help keep those nasty viruses aimed
at Microsoft's other security hole--Outlook--from causing your company
any more trouble than it already does.

But first, you have to take responsibility for your network, and for
the software that runs on it. Start by protecting what you have, and
then don't let anything--including the marketing machine from
Redmond--convince you otherwise.

Wayne Rash runs a product testing lab near Washington, DC. He's been
involved with secure networking for 20 years and is the author of four
books on networking topics.
E-mail Wayne at: wrash () mindspring com

ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]