Microsoft tries to quell TCP/IP 'danger'

Microsoft tries to quell TCP/IP 'danger'

Summary: To fully implement TCP/IP in Windows XP would make denial of service attacks a walk in the park, Microsoft said.The company was responding to claims by a well-known security expert known only as "Fyodor" that by repeatedly disabling the ability to send TCP/IP packets via "raw sockets", Microsoft was asking the security community to "pick their poison": either cripple their operating system or leave it open to hackers.

SHARE:
TOPICS: Security
6
To fully implement TCP/IP in Windows XP would make denial of service attacks a walk in the park, Microsoft said.

The company was responding to claims by a well-known security expert known only as "Fyodor" that by repeatedly disabling the ability to send TCP/IP packets via "raw sockets", Microsoft was asking the security community to "pick their poison": either cripple their operating system or leave it open to hackers.

Raw sockets are a feature of operating systems that use the TCP/IP protocol on which the Internet runs. Security professionals rely heavily on the feature as it allows them to bypass certain controls to create more customised TCP/IP packets and analyse Internet data.

"Supporting packet sends from simple user-mode raw sockets makes it entirely too trivial for compromised systems under control of hackers to launch massive distributed denial of service attacks," Microsoft warned in a statement to ZDNet Australia .

"MS Blast did this by using raw sockets to launch a huge TCP SYN attack against Microsoft," it added.

TCP SYN packets can be used along with fake IP addresses to flood a target and deny it access to network services.

Admitting that a recent security patch had intentionally disabled a community-developed workaround to Microsoft's TCP/IP changes -- which was first implemented in Windows XP Service Pack 2 -- the company claimed it had received little negative feedback on the issue.

In addition, the software giant said only a small number of programs were affected by the change: "The only applications that care deeply about the ability to send over raw sockets are enterprise security applications that use 'fingerprinting' techniques to characterise a host on the network based on its response to carefully crafted packets."

Consequently, the company has restricted access to raw sockets in desktop versions of its software, but not on servers.

Microsoft also encouraged desktop users to use approaches that didn't rely on access to raw sockets, and said that it garnered support for its changes from "all the commercial makers of such applications".

Fyodor, who is also the author of Nmap, a non-commercial network scanning tool that uses raw sockets extensively, previously said he didn't believe Microsoft's reasons for the changes were genuine.

In an e-mail told his 23,000-strong mailing list, he said Windows was the only operating system with the raw sockets restriction.

"Microsoft claims the change is necessary for security," Fyodor said. "This is funny since all of the other platforms Nmap supports (eg Mac OS X, Linux, the BSD variants) offer raw sockets and yet they haven't become the wasp nest of spambots, worms and spyware that infest so many Windows boxes."

The company is expecting further debate on the issue, it said, even going to the extent of forecasting typical counter-arguments to the TCP/IP changes. One example cited was "worms/viruses can just install a kernel-mode driver that would still allow denial-of-service attacks to be carried out."

It also pointed out that "writing and installing kernel-mode code is vastly more complicated" than using an existing raw socket feature, and that if malware did make it into the kernel of a Windows machine, the user would have more serious concerns than just SYN attacks launched from their machines.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Back when XP was released, you security buffoons were jumping around complaining that raw-sockets were IN XP, and that it was going to be the end of the world for the internet.. so Microsoft removed the functionality... and you found a workaround for it.. so Microsoft closed that loophole... and now you're complaining that raw sockets are disabled?

    The average windows user has absolutely no need for raw sockets. If you are a legitimate security analyst, use an OS that isnt a toy to do your network scans. Use Linux, Freebsd, or whatever. The people yelling the loudest for this raw socket stuff are people like Fyodor who have no business releasing nmap on windows anyway. Sorry Fyodor, your baby isnt going to run on XP anymore. Get over it. Nobody really cares about this issue, its not even newsworthy. Dont like windows? Dont run it. Any security analyst worth their salt isn't walking around with XP anyway. It's not like there aren't other choices out there anymore. Linux makes a great workstation. If you are smart enough to know what raw sockets are, and that they don't work on windows xp sp2, why are you still using windows? You have a choice. XP is targeted for the m****es, where raw socket access is just not a requirement, and no legitimate application of raw sockets exists, or ever will exist.
    anonymous
  • To the author of the first comment: there is at least one application for raw sockets on user machines, and it is user-level custom intranet protocols. Say, serverless intranet chat or service discovery system.

    Yes, yes I know that it is not used even remotely often, but still.
    anonymous
  • To be clear: Raw socket receives still work on XP SP2; only raw sends have been removed.

    Both raw sends and receives continue to be supported on server versions of Windows, including the small business server edition.
    anonymous
  • To the first comment that nmap has no business on windows, that is such a childish statement to make.

    I use nmap on a weekly basis for legimate system/network administration needs to scan my network quickly to make sure no odds ports have opened up since the last scan. In my office, we can NOT run non-windows based operating systems due to the number of custom apps we have installed (this is not a unique situation either, there are many other companies in the same boat).
    I wish I could run something else as I use Linux at home due to its capabilities that sink windows.

    Without the ability to run nmap or similar tools it means that I have no way to perform regular security checks on my own network. To do so I would now have to add a seperate machine running Linux /BSD/Mac just to perform a simple test.
    Its an invaluable free tool and has just as much right on a windows platform as it does on a *nix platform.

    Normally windows users are whining that *nix applications dont exist on Windows, and now your saying you dont want things ported over from *nix.
    anonymous
  • And the brand continues to decline. Microsoft is no longer funny, it's just sad.
    anonymous
  • Hmmm, no support for raw sockets because it (according to ms) makes DoS attacks a walk in the park? How come theres so many windows computers that ping certain ports on my computer then? How come large networks of zombied windows computers are still around?

    I don't think it really matters whether or not raw sockets are availiable in windows, there is always going to be large scale DoS attacks from windows zombies unless they do something about the abysmal security...
    anonymous