[ISN] XP vulnerable to DoS attacks

From: InfoSec News (isnat_private)
Date: Wed Oct 24 2001 - 00:18:32 PDT

  • Next message: InfoSec News: "[ISN] McAfee.com and eEye Get Secure With Each Other"

    http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2819030,00.html
    
    By Wayne Rash
    October 19, 2001 
    
    "It suffers from being very complicated," Steven Gibson says, trying
    to explain why he thinks a little-known feature of some operating
    systems could spell doom for businesses on the Internet. Gibson runs
    Gibson Research, a highly regarded Laguna Hills, California, security
    research firm. The feature is something called "raw sockets," and it's
    in Windows XP, the newest version of Microsoft's Windows operating
    system. Internet businesses could find their access to the world
    buried in a flood of nonsense traffic that could exclude nearly
    everything else.
    
    Microsoft has yet to find a security hole it doesn't like, and Windows
    XP is no exception. In this case, the raw sockets feature can allow
    creators of denial of service (DoS) attacks untold levels of new power
    in their quest to bring the Internet to its knees. This is because the
    raw sockets feature makes it easy to command any computer running
    Windows XP to unleash a flood of packets that will more efficiently
    tie up the switches and routers upon which the Internet depends.
    
    Though the Internet is full of operating systems that support raw
    sockets, including all versions of Unix and Linux, Windows is the only
    operating system that makes them available to any user with any level
    of access. Unix and Linux require special rights to allow this feature
    to be accessed, so it's less of a problem (although this feature is
    regularly exploited with those operating systems, as well).
    
    Now that it's common for users to have their computers attached to the
    Internet at all times, it's also easy for DoS attack software creators
    to infiltrate computers and implant the software that will effect the
    attack. That means that if your employees are online all the time,
    which is the case in most companies, your corporate network could be
    used as the point of origin for an attack against a site on the
    Internet.
    
    Microsoft has devoted a page on its Web site devoted to the issue of
    what it calls hostile code, and suggests that the problem lies
    there--not with Microsoft's implementation of raw sockets.
    
    Additionally, the company points out that raw sockets are necessary
    for some Windows features to work properly. "There are user-level
    functions that use raw sockets," says Scott Culp, manager of
    Microsoft's Security Response Team. He says that the fact that it may
    be slightly easier for "hostile" code to take over a computer with raw
    sockets is more than offset by the need for popular features such as
    Microsoft's Internet Connection Sharing and the company's IPSec
    implementation. Culp also notes that many of the activities Gibson
    singles out as reason to avoid raw sockets can also be accomplished
    without them. For example, Culp says that IP spoofing can be done with
    little more than a device driver.
    
    So why should you care about this potential security hole? Because it
    could be your computers and network that are being used, it's also
    your company that's responsible if you bring down the Web presence of
    another company or a government agency. It's you who will be
    explaining to the authorities why you allowed this, and then
    explaining to your boss, and maybe to the board--if you last that
    long.
    
    But what Microsoft ignores is the fact that all previous Windows
    versions kept anyone from using that feature of TCP/IP except for
    administrators. Instead, Microsoft suggests that it's hopeless to try
    to protect security in the face of such hostile code. The company
    doesn't address the idea that the raw socket issue in Windows XP makes
    it even easier for this hostile code to wreak havoc on the
    Internet--easier than it would be if Microsoft was using the previous
    implementation (the one all other operating systems continue to use).
    
    You can't do much about Windows and its security holes until Microsoft
    takes the problem seriously, so it's up to you to take other steps.
    For example, make sure you have a tested firewall. Purveyors of DoS
    attacks can't load your network up with attack software if they can't
    get in.
    
    While you're at it, make sure your firewall also keeps applications
    from accessing the Internet without permission. That's how DoS works,
    after all. And, of course, think twice about upgrading anything to
    Windows XP until you have all the protections in place and tested. Not
    only will this keep you from unknowingly assuming the liability for
    hosting a DoS attack, it will also help keep those nasty viruses aimed
    at Microsoft's other security hole--Outlook--from causing your company
    any more trouble than it already does.
    
    But first, you have to take responsibility for your network, and for
    the software that runs on it. Start by protecting what you have, and
    then don't let anything--including the marketing machine from
    Redmond--convince you otherwise.
    
    Wayne Rash runs a product testing lab near Washington, DC. He's been
    involved with secure networking for 20 years and is the author of four
    books on networking topics.
     
    E-mail Wayne at: wrashat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 01:46:13 PDT