XP's sockets could be a raw deal

Windows XP's new feature could spell doom for Internet businesses. But Wayne Rash tells you how to work around the security holes.
Written by Wayne Rash, Contributor

"It suffers from being very complicated," Steven Gibson says, trying to explain why he thinks a little-known feature of some operating systems could spell doom for businesses on the Internet. Gibson runs Gibson Research, a highly regarded Laguna Hills, California, security research firm. The feature is something called "raw sockets," and it's in Windows XP, the newest version of Microsoft's Windows operating system. Internet businesses could find their access to the world buried in a flood of nonsense traffic that could exclude nearly everything else.

Microsoft has yet to find a security hole it doesn't like, and Windows XP is no exception. In this case, the raw sockets feature can allow creators of denial of service (DoS) attacks untold levels of new power in their quest to bring the Internet to its knees. This is because the raw sockets feature makes it easy to command any computer running Windows XP to unleash a flood of packets that will more efficiently tie up the switches and routers upon which the Internet depends.

Though the Internet is full of operating systems that support raw sockets, including all versions of Unix and Linux, Windows is the only operating system that makes them available to any user with any level of access. Unix and Linux require special rights to allow this feature to be accessed, so it's less of a problem (although this feature is regularly exploited with those operating systems, as well).

Now that it's common for users to have their computers attached to the Internet at all times, it's also easy for DoS attack software creators to infiltrate computers and implant the software that will effect the attack. That means that if your employees are online all the time, which is the case in most companies, your corporate network could be used as the point of origin for an attack against a site on the Internet.

Microsoft has devoted a page on its Web site devoted to the issue of what it calls hostile code, and suggests that the problem lies there--not with Microsoft's implementation of raw sockets.

Additionally, the company points out that raw sockets are necessary for some Windows features to work properly. "There are user-level functions that use raw sockets," says Scott Culp, manager of Microsoft's Security Response Team. He says that the fact that it may be slightly easier for "hostile" code to take over a computer with raw sockets is more than offset by the need for popular features such as Microsoft's Internet Connection Sharing and the company's IPSec implementation. Culp also notes that many of the activities Gibson singles out as reason to avoid raw sockets can also be accomplished without them. For example, Culp says that IP spoofing can be done with little more than a device driver.

So why should you care about this potential security hole? Because it could be your computers and network that are being used, it's also your company that's responsible if you bring down the Web presence of another company or a government agency. It's you who will be explaining to the authorities why you allowed this, and then explaining to your boss, and maybe to the board--if you last that long.

But what Microsoft ignores is the fact that all previous Windows versions kept anyone from using that feature of TCP/IP except for administrators. Instead, Microsoft suggests that it's hopeless to try to protect security in the face of such hostile code. The company doesn't address the idea that the raw socket issue in Windows XP makes it even easier for this hostile code to wreak havoc on the Internet--easier than it would be if Microsoft was using the previous implementation (the one all other operating systems continue to use).

You can't do much about Windows and its security holes until Microsoft takes the problem seriously, so it's up to you to take other steps. For example, make sure you have a tested firewall. Purveyors of DoS attacks can't load your network up with attack software if they can't get in.

While you're at it, make sure your firewall also keeps applications from accessing the Internet without permission. That's how DoS works, after all. And, of course, think twice about upgrading anything to Windows XP until you have all the protections in place and tested. Not only will this keep you from unknowingly assuming the liability for hosting a DoS attack, it will also help keep those nasty viruses aimed at Microsoft's other security hole--Outlook--from causing your company any more trouble than it already does.

But first, you have to take responsibility for your network, and for the software that runs on it. Start by protecting what you have, and then don't let anything--including the marketing machine from Redmond--convince you otherwise.

Wayne Rash runs a product testing lab near Washington, DC. He's been involved with secure networking for 20 years and is the author of four books on networking topics.

Editorial standards