A storm is brewing over one of the features in Windows XP, the next version of Windows for both home and business users. For the most complete discussion of this story, you should go to Steve Gibson's Web site, but I'll summarize it here, because this seems to be a very important issue for all of us. During May and June, Gibson's Web site was repeatedly knocked offline by Distributed Denial of Service (DDoS) attacks.
DoS and DDoS
Some definitions here: A Denial of Service (DoS) attack means someone generates a flood of messages - e-mail, pings (a type of information request), or something else - that are so numerous that an Internet server buckles under the load and is unable to provide service to its customers. The usual way to handle a DoS attack is to block everything from that source.
A DDoS attack works a bit differently, exploiting a vulnerability in Microsoft's Internet Information Server. The attacker scans thousands of computers on the Internet, using automated tools, to find unprotected computers. Antivirus tools do nothing to protect from these scans, and even firewalls will fail if a hacker impersonates a trusted application.
Once it has located a sufficient number of machines, the attacker sends a command to each of the computers (hence the "distributed" part of the attack), directing them to send the maximum number of large messages to a particular Internet address. All of this happens, by the way, without the owner of the computers knowing anything is happening.
This is what happened to Gibson's site. I'm going to shorten the story considerably, because I don't have the space to give all the details. But it is a genuinely fascinating story, and if you enjoyed Cliff Stoll's Cuckoo's Egg a few years ago, you'll be riveted by this tale.
Analyzing the attacks, Gibson was able to block them (after a great deal of work) by blocking each individual IP address (the individual address of a computer on the Internet) that the flood came from. He captured messages and blocked the senders individually until the attack was totally blocked. Note that it was only because he could get the IP address and block it that he could cope with the attack.
Then he set out to find out how the attack was created, and by whom. In the end he determined that a 13-year-old had taken an IRC Zombie/Bot (you'll have to go to the site to get the definition), a widely-available hacker tool, changed one line of code, and launched the attack.
The ease with which such an attack can be launched is a bit shocking, but at least it can be blocked once you get all the IP addresses. Fortunately, Windows 9x and ME insist on putting the right IP address on every packet they send out. Just imagine what would happen if the attackers could change that address at will, and forge, or "spoof," the addresses.
The Bad News
Here's the bad news: That's exactly what is built into Windows XP, the next home version of Windows. About 20 years the computer people at UC Berkeley connected Unix to the Internet by creating what's called a "TCP/IP stack." To make it easier to understand, they came up with the concept of "sockets." An application can ask for a standard socket and doesn't have to deal with the underlying technical protocols. The TCP/IP stack handles everything.
But in addition to standard sockets, there are "raw sockets," which are essentially a back door to the power of the system. They bypass the TCP/IP stack, and thus allow creation of non-existent IP addresses, or "spoofing." This was intended as a tool for programmers doing Internet protocol research. Windows sockets have never had raw sockets available, only standard sockets. So Windows machines cannot be used for IP-spoofing attacks, which are much harder to block because the IP address can change with every packet of data sent.
Some people who use sophisticated tools claim Microsoft has taken the source code from the open source Berkeley FreeBSD Unix TCP/IP stack and dropped it whole into Windows XP, leaving the raw sockets intact. (If true, this would raise a whole other question about the attacks MS has been making on open source software.)
Microsoft claims this capability is present in Unix, Linux, and other machines, including Windows 2000. This is correct, but none of these is a mass market consumer system.
What Gibson finds particularly dangerous about Windows XP is that the system will be pre-installed on millions of PCs connected to cable modems and used by unsophisticated users who don't know how to protect their machines, even if they know they should. We in the user group are generally more knowledgeable and more sophisticated than many home computer users, and probably most of us use firewalls and other protective tools.
But even if we in the group can all protect our own computers, we still have to cope with billions of data packets filling the Internet as malicious hackers try to push various Web sites off the Net. Not only can our favorite sites be unavailable, the amount of traffic may significantly slow down the Net.
Because this is such an important potential problem, I strongly urge you to visit GRC and learn the implications for yourself. Microsoft will be visiting us late this year to demonstrate XP. Let's make sure it's bringing a solution, not a problem.
