[ISN] FRAGILE: Handle With Care

From: InfoSec News (isnat_private)
Date: Thu Jun 28 2001 - 04:32:46 PDT

  • Next message: InfoSec News: "Re: [ISN] Windows 2000 Security Recommendation Guides"

    UNIX SECURITY --- June 28, 2001
    Published by ITworld.com -- changing the way you view IT
    Denial of Service
    By Carole Fennelly
    Steve Gibson, founder and president of Gibson Research Labs, has
    ignited some controversy over his warnings that native raw socket
    support in Windows XP could cripple the Internet by facilitating
    Denial of Service (DoS) attacks (http://grc.com/dos/winxp.htm). Gibson
    states that by natively supporting raw sockets ? already present in
    Unix-based operating systems and, possibly, in modified Windows
    systems -- "Nothing more than the whim of a 13-year old hacker is
    required to knock any user, site, or server right off the Internet."
    I think Gibson is overestimating the skill set required to DoS
    someone.  My site recently fell victim to a form of Denial of Service
    that required no technical skills whatsoever and kept our T1 down for
    days.  The hackers? A bunch of vandals calling themselves "squirrels".
    That's right, those cute little critters with the big fuzzy tails.
    It seems that these little rogues are not content with acorns, but
    also enjoy gnawing through the cable insulation and exposing the wires
    inside to the elements. The local cable splicers quite
    matter-of-factly acknowledged that the old wiring - intended for basic
    phone service - really couldn't support modern data requirements. Many
    areas have been updated to shielded cable, but post dot-com cutbacks
    have resulted in limited budgets for upgrading something as boring as
    cable. Offering a sexy new wireless service instead is much more
    I've heard dozens of stories about mundane glitches bringing down
    corporate LANS or individual connections; most commonly, an ISP goes
    out of business. Yet, we continue to build upon an infrastructure
    founded in quicksand. It's amazing it works at all, really.
    In spite of Microsoft's less-than-stellar security track record,
    native support for raw sockets in Windows XP does not introduce a new
    exposure. Windows libraries are publicly available to support raw
    sockets today. For years, people have beaten Microsoft up because they
    implemented standards selectively, or with extensions. In this case,
    those same people are beating Microsoft up for finally following an
    DoS attacks do not require sophisticated skills, but they are a very
    real threat. The addition of raw socket support to Windows XP could
    possibly provide a wider base to launch such attacks, but trying to
    halt DDoS by castrating the protocol is like trying to stop the tide
    with a few sandbags. The infrastructure of the Internet needs to be
    bolstered so attacks can be countered, or at least traced. How many
    ISPs employ egress filtering to curtail spoofed addresses leaving
    their network? Whatever happened with implementation of IPv6 - a
    stronger protocol that would solve many of these problems? Sure, none
    of these measures on their own is enough to stop DDoS, but it is a far
    better use of time to develop a stronger, more stable infrastructure
    than to restrict Microsoft from including support that is already
    available in other platforms.
    Like the wiring in my neighborhood, the Internet was never intended to
    handle what is being demanded of it. Upgrading the infrastructure of
    the Internet is like repairing the plumbing in your house:  messy,
    expensive, and with nothing pretty to show for it. However, the
    alternative is much worse. The answer is not to prevent attacks but to
    fix an infrastructure that is so fragile a bunch of squirrels could
    take it down.
    About the author(s)
    Carole Fennelly is a partner in Wizard's Keys Corporation, a company 
    specializing in computer security consulting. She has been a Unix 
    system administrator for almost 20 years on various platforms, and 
    provides security consultation to several financial institutions in the 
    New York City area. She is also a regular columnist for Unix Insider
    (http://www.unixinsider.com). Visit her site (http://www.wkeys.com/) or 
    reach her at carole.fennellyat_private
    Dave Dittrich's DDoS page (lots of good stuff here):
    Have Script, WIll Destroy (Lessons in DoS) by Brian Martin
    Another router failure troubles US data link:
    When ISPs Pull the Plug
    Wall St. Woes hit IT:
    Good article on egress filtering by Brian McWilliams:
    Diary of an IPv6 Tester
    Captus Networks offers a product that they claim will protect sites 
    from DoS and 
    DDoS attacks:
    Syncookies are another mechanism to limit resource starvation:
    Copyright 2001 ITworld.com, Inc., All Rights Reserved.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 22:41:33 PDT