August 12, 2004

XPSP2 rips out raw sockets

Ok, now this just sucks.

One of the 'security additions' added to XP SP2 is the fact that raw sockets are no longer available. Result? Tools like nmap no longer work in their current form.

The reason from Microsoft. 'Only attack tools seem to use raw sockets'.

ARG!!!!!!!!!!!

So be forewarned. If you upgrade to SP2, you will lose access to nmap. Now I got a valid reason for keeping my other Linux box around ;-)

My next buy was going to be a TabletPC. Wonder if I pray hard enough if Steve Jobs can 'Newton-afy" a Powerbook and give my OSX on a powerbook supporting tablet functionality. Then I could have raw sockets, OSX and a tablet all rolled up in one. *sigh*

Posted by SilverStr at August 12, 2004 08:31 AM | TrackBack
Comments

I don't know, is turning off raw sockets in Windows XP such a bad thing? I mean, on the average, most of the people using Windows XP on the internet are home users who check email, surf the web, etc, etc. They do not need the ability to create raw sockets because most of them probably won't be doing any sort of network traffic analysis. But in spite of this, Windows 2000 and XP pre-SP2 still allow the creation of raw sockets. The bad part here is that when these machines become infected with trojans like Subseven, all of a sudden, you can turn a harmless Windows PC into a solider for a Distributed Denial of Service attack. Raw sockets allow these trojan programs to do IP spoofing, SYN floods, etc. Without raw sockets, DDoS attacks might still be possible, but at least with this, we can mitigate the amount of damage each PC does.

I understand that it's a hassle for people who use tools like Winpcap and nmap (I use those tools too). But I think that turning off access to raw sockets is for "the greater good". I would gladly be restricted to using a *nix* or *BSD box to use tools like ethereal and nmap if it means that Windows XP PC's will be much harder to exploit for DDoS attacks.

Steve Gibson wrote a great article about raw sockets in Windows XP, you can find it at http://www.grc.com/dos/winxp.htm

Posted by: Simmoril at August 12, 2004 11:12 AM

i don't that the gibson article is great. in fact : http://www.grcsucks.com/.

Posted by: dominick baier at August 12, 2004 11:21 AM

Security by obscurity alone is silly. As you mentioned, its easy to simply flip over to a Linux or BSD box to get raw socket access anyways. Why then, should raw sockets be ripped? The view that because its the most 'used' operating system and needs to be limited is silly. As is the fact its the most or least vulnerable with thismove. All it really is doing is lowering the number of LAUNCH points. XP is no safer for this removal. Nor is it any less vulnerable. It just removed script kiddies from using mommys computer to launch the next DoS against Ultima Online. The same kiddies that will just grab the next Knoppix Live CD and use that instead.

There was nothing wrong with having raw socket support. What was wrong was the safeguards placed around it, and the access to the stack in such a way. In Unix environments you can limit raw socket access to root. And you can do the same thing for Windows through the System and Administrator security contexts. However, since most people are STILL running as Administrators instead of normal users, no wonder XP is a playground for 'attack tools'.

Quite frankly I was slowly moving all my infosec forensic and analysis tools to Windows. There was almost no need to have a Linux box around when a XP + cygwin combo could do almost everything I needed. Now I gotta roll that back if I want some of the common functionality an information security professional will need from their OS.

Posted by: SilverStr at August 12, 2004 11:27 AM

I realize that this countermeasure does not stop a person who has physical access to the box. In fact, with physical access to the box, hardly anything will stop a person from being able to turn it into a zombie for a DDoS attack. What this countermeasure DOES stop however, is the ability for a person to REMOTELY turn a Windows XP box into a zombie with a trojan. The leap from getting a user to launch an exe to getting a user to let you into their house and allow you to insert a CD into their computer and reboot it is quite another.

Yes, perhaps completely removing the ability to create raw sockets was an overstep (if that's what SP2 does). I thought a better idea might have been producing a patch or installer that restored the ability to create raw sockets. That way, the people who truly need it can reactivate it, and those that don't need it can live without it. The only problem there is that one might be able to create a trojan that reactivates raw sockets in the same manner.

The fact of the matter is Windows is used by an enormous percentage of the public. Should security rely on users doing the right thing, or should Microsoft take matters into their own hands and take proactive measures like this one? I honestly don't see a way around having it both ways, where Windows XP is secure enough for the average user, yet robust and powerful enough for advanced uses (like forensics).

I mean, even though Unix can limit access via root, let's say everyone in the world ran Unix. Nothing will change because the average user will still run everything as root. It's still going to be the mentality of "Get it working first, secure it second (maybe)." And that's the larger problem; getting users to do the right thing. Many users don't because they don't see the point of running Windows Update, or using a separate account without Administrator access. So the question is, what should be done about those users and their insecure machines?

Posted by: Simmoril at August 12, 2004 02:23 PM

you're kidding me, right silverstr? how the heck is this obscurity? these systems are often being used REMOTELY by people who can't just install BSD or Linux on a remote box, not when they've done a basic exploit or spammed a mail-based virus. distributed packet floods, using thousands of systems. not some kid at home booting to knoppix to launch a SYN flood. coordinated attacks controlled remotely.

the number of XP systems used in DDoS attacks is huge. while a good number of those are connection floods (which raw sockets wont stop, but connection throttling will help alleviate), the basic packet floods we've been tracking are sure to be reduced once XP SP2 gets wider deployment.

i fail to see how any of this is "Security by obscurity". a knee jerk reaction is that if it's not a silver bullet to the ills of computer security it must be security by obscurity.

never mind the fact that patches ALREADY EXIST to get by some of these limits, and more are on the way. people who NEED TO DO THIS WILL BE ABLE TO. and so will some attackers (but that's the tradeoff you MUST accept).

we've constantly seen that by preventing IP address spoofing we can alleviate DDoS attacks more efficiently and effectively, and this will only help that. egress filtering helps, this goes even further.

furthermore, plenty of research shows that connection throttling has a limited impact on normal network access by almost everyone but slows worms and scans to a managable form.

it's all about raising the bar, not about hiding it. the bar's still obvious, and has some obvious flaws. this isn't a total panacea, but it's hardly "Security by obscurity". if this will help defenders in the arms race, great.

now quit complaining that less than 1% of XP users are inconvenienced when the vast majority of people will benefit from these sorts of protections.

Posted by: jose at August 12, 2004 02:43 PM

Jose,

I'm not kidding, but I guess I could have chosen my words better.

Here is how I view this. First off, raw sockets hasn't actually been removed. This is where things start to go cloudy for most people. Microsoft still has raw socket support in the stack, its just preventing the SENDING of tcp data over raw sock, and prevents UDP datagrams with invalid source addresses from being sent.

So what threat are we protecting here? As you have stated, its basic packet flooding. But wait a second... for this to occur, the following events must occur to take advantage of this remotely:

1) An advesary must exploit a vulnerability in the operating system, or applications with privilege to gain access to the system

2) The advesary must transfer hostile code to the target

3) The advesary must execute said malicious code and start the sequence.

So, what we are saying here is that for the use of raw sockets to be a problem remotely in this scenario, the system has to already be compromised. At this point is raw sockets the real issue here?

Lets assume it is for a moment, because zombies are really bad on Windows platforms. For the advesary to get around this new 'fix' all they have to do is have the hostile code insert its own raw sock stack! There are already root kits that DO THIS. So there is no real gain by removing raw sockets for the determined advesary.

Now lets approach this differently. What is the real asset we are wanting to protect at this point? The system is already compromised, and what we now want to do is protect the rest of the world from malicious code which can take advantage of raw sockets. How could we do this beter?

Well for starts, lets not care if its raw sockets or not. We know that TYPICALLY the frequency of port opening and sent packets that increase in speed and size typically show to be more malcious than not. (Note I say more.. not always). As such, simple connection throttling mechanisms could slow the propogation of attacks by simply slowing down aggressive port and packet code that is firing on the ether. There is lots of research on using scaled socket connection pool to prevent floods like this, and it could easily be added to do this. Of course, like stated above, this could be compromised if someone replaced the logic in the stack for this.

My point is that in the face of what must first occur for this to be a compromised threat, other events have to already have occured which should be of concern, and should have already been mitigated. As such, hiding/removing a single component of raw sockets to make things more secure may not have been the best way to go about this. I obviosuly can't be certain, as I didn't see the threat model for this to determine what other threats this may be mitigating.

You're right that I have no real right to complain about the inconvenience. The removal will undoubtedly remove SIMPLE script kiddy action, but does not provide any real protection against a real advesary in this particular case.

Posted by: SilverStr at August 12, 2004 04:50 PM

You're thinking about this from the wrong end. The raw socket changes in SP2 are about making big DDoS attacks harder. Raw socket receives still work as always. Unspoofed UDP sends over raw still work as before. TCP sends are gone. We've seen with MS Blast what big DDoS TCP SYN attacks can do. What if the Blaster target had been someone without Microsoft's resources to fend off the attack? The changes to raw in SP2 were carefully chosen to raise the bar with the smallest possible impact to apps.

Posted by: David at August 17, 2004 08:46 AM

Xp sp2 raw sockets can be enabled by disabling windows firewall and Disabling the service called Windows Firewall/Internet connection sharing. Which bring me to another point. If I can do it. So can a virus program.

Greg R


Posted by: Greg at August 20, 2004 06:09 AM

You people need to get out more. I pretty much tripped over this site and started reading. I was trying to figure out if I wanted to DL xpsp2 or leave my PC as is. Obscurity or not, some measure of control is required to maintain a 'safe as possable' environment for PC users. -XP was not designed for corporate operations, let alone forensic analysis! Even XP Office as best I can tell is barely good enough to run a small bussines on its own.(wich is why sub programs were created to be compatable with XP, XP pro and Office) If you truely need to utalize raw sockets for high tech analysis, then put your linex on the bench, hire a comp wiz and write your own operating system. XP isnt the be all end all of the PC world. It was designed with the masses in mind, not hte elite. If its not a good enough OS for your needs, then look elsware for your raw socket intergrated OS. Personaly, I can do without DDoS on my system. With that said, I would like to thank Microsoft for at least doing something. What exactly have the rest of us done to help? "If your not part of the solution, your part of the problem" (unknown author)

Posted by: Some guy with no clue at September 8, 2004 10:18 AM

You people need to get out more. I pretty much tripped over this site and started reading. I was trying to figure out if I wanted to DL xpsp2 or leave my PC as is. Obscurity or not, some measure of control is required to maintain a 'safe as possable' environment for PC users. -XP was not designed for corporate operations, let alone forensic analysis! Even XP Office as best I can tell is barely good enough to run a small bussines on its own.(wich is why sub programs were created to be compatable with XP, XP pro and Office) If you truely need to utalize raw sockets for high tech analysis, then put your linex on the bench, hire a comp wiz and write your own operating system. XP isnt the be all end all of the PC world. It was designed with the masses in mind, not hte elite. If its not a good enough OS for your needs, then look elsware for your raw socket intergrated OS. Personaly, I can do without DDoS on my system. With that said, I would like to thank Microsoft for at least doing something. What exactly have the rest of us done to help? "If your not part of the solution, your part of the problem" (unknown author)
-final note - as most of you have guessed, im just your average user, but, I do try to learn. If i have offended anyone with my post, please feel free to contact me and teach me what you know. tramacorp@shaw.ca (yes, the 'u' is missing on purpose *wink* love the site, have fun, or go back to bed.
sidewayshappyfaceandstuff

Posted by: Some guy with no clue's 2nd attemp at posting at September 8, 2004 10:28 AM

Greg, people can still launch DDoS attacks from your system. They just can't launch "spoofed" DDoS attacks.

Let me also say, that there are MUCH worse things than DDoS kiddies. Are your credit card details any safer?

I conducted an experiment, and discovered that what David mentioned earlier works, and is actually very easy to accomplish.

(s00p) .syn 192.168.0.2 6667 3
(oxcwmjhk) SYN flooding [192.168.0.2:6667] for 3 seconds
(oxcwmjhk) Done with SYN flood [0KB/sec]

This "0KB/sec" obviously meant that the spoofed SYN flood failed. After one simple execution:
C:\Documents and Settings\Seb>net stop "Windows Firewall/Internet Connection Sharing (ICS)"
The Windows Firewall/Internet Connection Sharing (ICS) service was stopped successfully.

This response:
(s00p) .syn 192.168.0.2 6667 3
(oxcwmjhk) SYN flooding [192.168.0.2:6667] for 3 seconds
(oxcwmjhk) Done with SYN flood [640KB/sec]

Posted by: s00p at September 18, 2004 02:41 AM

I've been informated that you should use the ID "SharedAccess" instead of the description "Windows Firewall/Internet Connection Sharing (ICS)", and so:

C:\Documents and Settings\Seb>net stop SharedAccess
The Windows Firewall/Internet Connection Sharing (ICS) service is stopping.
The Windows Firewall/Internet Connection Sharing (ICS) service was stopped successfully.

Posted by: s00p at September 18, 2004 06:56 AM