天天看点

【转】Raw Sockets Gone in XP SP2

Well, not strictly gone, but their power has been reduced in certain respects.

The good news (and the justification for the removal of the feature) is that this change will prevent certain network attack tools used by crackers from running on Windows XP. These tools are easier to write if you have a full raw socket facility. But it won't impede them much of course - presumably they'll just go and use some other operating system. The limitations on the raw socket facility in Windows XP don't make XP any more or less vulnerable, they just make it slightly less suitable as a platform for launching certain kind of attacks. But that really won't stop a determined hacker - it's not like it's that hard to find an OS that supports full raw sockets. Linux supports them for example. (So if Steve Gibson was right in his original rather sensationalist article, Linux will now supplant Windows XP as the "denial of service tool of choice for internet hackers everywhere" as he put it... Not that Windows XP ever fulfilled his prophecy of doom, as far as I know.)

In fact there's no reason a cracker couldn't add the functionality back into Windows if they're prepared to write a suitable device driver. I don't think there's anything stopping you writing a kernel mode device driver that plugs into the NDIS stack and communicates directly with the network card device driver. That would let you send any ethernet packet you like, which would give you at least as much power as the original unencumbered raw sockets API. (In practice they'll probably just use an OS such as Linux which still supports the feature.)

The justification for limiting raw sockets is that they provide a tool for the attackers. That sounds reasonable enough until you realise that raw sockets are also a tool for the defenders. Now that I've installed service pack 2 I'm deprived of ability to use this tool to defend myself, unless I have some other systems around that still support raw sockets. Meanwhile I can be absolutely sure that those who would attack my networks *do* have systems that support raw sockets.

So this change appears to have made Windows XP less useful for detecting security flaws without putting up any significant new barrier to determined attackers. Doesn't that make me less secure, on balance?

(Of course this is just a minor niggle - on the whole, I think the security improvements of XP SP2 are a Very Good Thing!)

继续阅读