UNIX SECURITY --- June 28, 2001 Published by ITworld.com -- changing the way you view IT ___________________________________________________________________ Denial of Service By Carole Fennelly Steve Gibson, founder and president of Gibson Research Labs, has ignited some controversy over his warnings that native raw socket support in Windows XP could cripple the Internet by facilitating Denial of Service (DoS) attacks (http://grc.com/dos/winxp.htm). Gibson states that by natively supporting raw sockets ? already present in Unix-based operating systems and, possibly, in modified Windows systems -- "Nothing more than the whim of a 13-year old hacker is required to knock any user, site, or server right off the Internet." I think Gibson is overestimating the skill set required to DoS someone. My site recently fell victim to a form of Denial of Service that required no technical skills whatsoever and kept our T1 down for days. The hackers? A bunch of vandals calling themselves "squirrels". That's right, those cute little critters with the big fuzzy tails. It seems that these little rogues are not content with acorns, but also enjoy gnawing through the cable insulation and exposing the wires inside to the elements. The local cable splicers quite matter-of-factly acknowledged that the old wiring - intended for basic phone service - really couldn't support modern data requirements. Many areas have been updated to shielded cable, but post dot-com cutbacks have resulted in limited budgets for upgrading something as boring as cable. Offering a sexy new wireless service instead is much more exciting. I've heard dozens of stories about mundane glitches bringing down corporate LANS or individual connections; most commonly, an ISP goes out of business. Yet, we continue to build upon an infrastructure founded in quicksand. It's amazing it works at all, really. In spite of Microsoft's less-than-stellar security track record, native support for raw sockets in Windows XP does not introduce a new exposure. Windows libraries are publicly available to support raw sockets today. For years, people have beaten Microsoft up because they implemented standards selectively, or with extensions. In this case, those same people are beating Microsoft up for finally following an RFC. DoS attacks do not require sophisticated skills, but they are a very real threat. The addition of raw socket support to Windows XP could possibly provide a wider base to launch such attacks, but trying to halt DDoS by castrating the protocol is like trying to stop the tide with a few sandbags. The infrastructure of the Internet needs to be bolstered so attacks can be countered, or at least traced. How many ISPs employ egress filtering to curtail spoofed addresses leaving their network? Whatever happened with implementation of IPv6 - a stronger protocol that would solve many of these problems? Sure, none of these measures on their own is enough to stop DDoS, but it is a far better use of time to develop a stronger, more stable infrastructure than to restrict Microsoft from including support that is already available in other platforms. Like the wiring in my neighborhood, the Internet was never intended to handle what is being demanded of it. Upgrading the infrastructure of the Internet is like repairing the plumbing in your house: messy, expensive, and with nothing pretty to show for it. However, the alternative is much worse. The answer is not to prevent attacks but to fix an infrastructure that is so fragile a bunch of squirrels could take it down. About the author(s) ------------------- Carole Fennelly is a partner in Wizard's Keys Corporation, a company specializing in computer security consulting. She has been a Unix system administrator for almost 20 years on various platforms, and provides security consultation to several financial institutions in the New York City area. She is also a regular columnist for Unix Insider (http://www.unixinsider.com). Visit her site (http://www.wkeys.com/) or reach her at carole.fennellyat_private ________________________________________________________________________________ ADDITIONAL RESOURCES Dave Dittrich's DDoS page (lots of good stuff here): http://staff.washington.edu/dittrich/misc/ddos/ Have Script, WIll Destroy (Lessons in DoS) by Brian Martin http://www.attrition.org/~jericho/works/security/dos.html Another router failure troubles US data link: http://it.mycareer.com.au/breaking/2001/06/19/FFXDBL4K4OC.html When ISPs Pull the Plug http://www.itworld.com/Man/3918/NWW010427pilotcrash/ Wall St. Woes hit IT: http://www.itworld.com/Man/3918/CWD010416STO59602/ Good article on egress filtering by Brian McWilliams: http://www.newsbytes.com/news/01/166814.html Diary of an IPv6 Tester http://www.nwfusion.com/reviews/2000/0925rev.html Captus Networks offers a product that they claim will protect sites from DoS and DDoS attacks: http://www.captusnetworks.com/ Syncookies are another mechanism to limit resource starvation: http://cr.yp.to/syncookies.html ________________________________________________________________________________ Copyright 2001 ITworld.com, Inc., All Rights Reserved. http://www.itworld.com ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 22:41:33 PDT