Windows XP: Raw nerve?

Microsoft denies raw sockets facilitate Denial-of-service Attacks
Written by Brian Ploskina, Contributor

Windows XP is set for an extravagant New York City launch on Oct. 25, but the debate over the security of an element called "raw sockets" in Microsoft's latest operating system release will rage for quite a bit longer.

Steve Gibson, an independent software developer who has written several security programs, has been waging a public campaign since July against Microsoft's inclusion of raw sockets in Windows XP. He has alleged that raw sockets - a TCP/IP feature included in XP for backward compatibility, but that also lets an application generate bogus IP headers - will soon make it much more difficult to prevent distributed denial-of-service (DDoS) attacks, which already occur frequently on the Internet.

"If I brought this up a year and a half ago, [Microsoft] might have fixed it, but it didn't see the danger until it was too late," Gibson said. To date, he said, no one at Microsoft has taken seriously his worries about raw sockets.

A denial-of-service attack is the sending of a large number of data packets to a single resource on the Internet, usually a Web or application server, effectively disabling it. A DDoS attack is more virulent because it involves taking control of hundreds or thousands of PCs by using zombies, software programs that let hackers make those PCs into the minions that launch the attack. Raw sockets could amplify that threat by making IP-spoofing readily available to hacker tools.

Microsoft adamantly refuted Gibson's claim that XP's support of raw sockets makes it a security problem. A Microsoft spokeswoman pointed out that Apple Computer's Mac OS, Linux, Unix and Microsoft's own Windows 2000 have all implemented raw sockets. She also noted that DDoS attacks have been launched using versions of Windows that didn't support raw sockets.

But Gibson countered that while the raw sockets feature was implemented in previous OSes, those operating systems weren't as widely used by consumers as Windows XP is expected to be. He also said raw sockets don't make it easier to launch a DDoS attack, but instead makes it more difficult to defend against one.

Even one of Micro soft's resellers express ed concern that the raw sockets in Windows XP will increase its susceptibility to hacking. "It's one less hoop that a hacker has to jump through," said Richard Blair, a senior consultant of Chicago's SEI Information Technology, a consulting firm that is a Microsoft Gold Certified Partner.

Other security experts were divided about the impact of raw sockets in Windows XP.

"I'm not sure it makes the situation any worse," said Ted Julian, chief strategist of Arbor Networks, a developer of anti-DDoS software. Individual users, by securing their machines and networks against hacker intrusions, can do much more to reduce the threat of DDoS attacks than Microsoft or any single entity can, he said.

But Microsoft could help mitigate some of the security risk by making it harder for hackers to create DDoS tools, said Keith Waldorf, co-founder and chief technology officer of Captus Networks, which also provides a DDoS defense product.

"What we're going to see if Micro soft continues down this path is that denial-of-service tools will be easier to implement and cause more problems for the Internet community as a whole," Waldorf said.

Quick Hit

Raw Sockets: What's the Problem?

  • An operating system that exposes "raw" TCP/IP sockets enables an application to spoof its IP address. A distributed denial-of-service attack that exploits this kind of IP spoofing through raw sockets could be virtually impossible to block, some security experts said. Microsoft downplays any potential problem, saying Unix and other OSes have long supported raw sockets.
  • Editorial standards