Raw Sockets Revisited: What Happened to the End of the Internet?
May 2001 brought with it an alarming warning of a potential Internet nightmare that the world has never before seen. As a result of this warning, the media, security professionals, and computer geeks throughout the Internet immediately started contemplating this new threat and what it could mean for the future of digital communications. Could this warning be real? Was it valid? Could a hacker really crash the Internet? These questions and more became the centerpieces of an online debate that continued to sweep through almost every online publication site and tech talk show. What we are talking about is Raw Sockets.
In May 2001, a well-known CEO of a security and consulting company, Steve Gibson, released the Raw Socket's warning. According to his Web site, Raw Sockets was a "seriously dumb idea...from Microsoft" that "...spells catastrophe for the integrity of the Internet." As a result of this bold statement, Steve Gibson and his Web site instantly made headlines.
In short, Steve Gibson expressed a serious and heartfelt concern about the implementation of Raw Sockets into Windows' latest operating system, Windows XP. He felt that by incorporating Raw Sockets into its software, Microsoft was inviting every script kiddie and malicious hacker to use its operating system as a platform to launch denial of service (DoS) attacks. In addition to basic DoS attacks, the GRC Web site appears to closely link the integration of Raw Sockets with an increased used of distributed DoS attacks, which are much more damaging to an online presence. Although he did contact Microsoft, the results of his warnings weren't to his liking. In fact, he told Microsoft that he would "...go off and make a big bunch of noise and draw the world's attention to this impending threat to the operation and security of the global Internet." This is exactly how this story became news.
Because this whole debate has been fueled by one man and his comments, we will dissect his concerns with Raw Sockets and see what value they hold. After these points are validated or invalidated, we will take a look at the impact that Windows XP has had thus far on the world of computingand more specifically on the Internet.
What Is a Raw Socket?
A Raw Socket is simply a reference to the capability of a computer program to directly access the communications aspect of computer hardware. Normally, a program must interface with a mediator program called an Application Programming Interface (API) to send and receive data from the computer's hardware. This ensures data integrity and reduces the chance of error.
This power can be understood by looking at how a mailing system works. In a business environment, most letters and mailers are sent out on company letterhead in a prestamped envelope. This increases productivity and reduces the risk of addressing errors. In addition, it legitimizes the message. This is because any message on company letterhead is assumed to be the real deal. The same applies to the normal way data is sent from one computer to another. By using an API, a program must use the prepackaged digital "envelopes" to pass data on to the Internet. This makes the API responsible for ensuring that the required information, such as the destination and return address, are present in each packet.
Raw Sockets, on the other hand, allows a computer program to directly access all aspects of the data in the packet. In other words, this would be the same as using a custom stamp to create company letterhead on-the-fly. Although this power would allow the sender to have more control over what information is stamped on the envelope, such as the return address, it also would increase the potential risk of error. Likewise, Raw Sockets allows its users to customize various aspects of a data packet, which increases the chance of error, be it accidental or intentional. For example, Raw Sockets gives a hacker the ability to create a packet with a fake return address.
One of the most prevalent threats Raw Sockets helps to facilitate is the infamous SYN DoS attack. Typically, a client computer initiates a conversation with another computer by sending it a packet with a SYN (Synchronous Idle Character) flag set. This tells the host computer that someone is about to send data, to which it replies with a SYN ACK (Acknowledge) packet. The client computer receives the SYN ACK packet, which tells it that the host exists and that the host is ready to receive data. The client sends one final ACK packet, informing the host computer that is received the SYN ACK, and that it is about to send data (see Figure 1).
Figure 1 Normal session setup.
If a hacker had the ability to forge a packet's information, he or she could create a SYN packet with a fake, or spoofed, return address. In this case, the host computer would receive the SYN packet from the client computer (hacker), read the return address, and send the SYN-ACK packet to a fake return address. If there were no computer at the spoofed address, the host computer would sit and wait for several minutes before realizing that no one was connecting to it. However, during that time, the host computer would have a port open, waiting for a returning ACK. Because there are only so many ports available for connecting client computers, a hacker could quickly use up all of the host computer's resources (see Figure 2).
Figure 2 Spoofed SYN DoS attack.
This is the threat that Steve Gibson fears from the release of Raw Sockets in Windows XP/.NET. Ironically, soon after the release of his warning, his Web site was attacked and forced offline by another type of DoS attack that did not use any form of Raw Sockets.