You both make good points, but we're still leaning in Steve's direction

No need to be so reasonable about it....

  • alert
  • submit to reddit

SANS - Survey on application security programs

See also:
Thank God someone's finally exposing this charlatan
Steve walks on water; you're a moron, and so's your old man

In your article posted on www.theregister.co.uk, you make some interesting observations. I think many people failed to understand your point that Win XP won't necessarily increase the number of zombie boxes out there and Gibson seems to be missing the fact that with a large collection of zombie boxes can allow a script kiddie to basically do the damage, raw-socket support or not.

On the other hand, I see the problem being with script kiddies who only have their parent's computer to work off of. If they send an attack from their computer (even a nuke) against someone who has a logging
firewall and that person reports it, in all likeliness they'll get caught. I know that my own isp does take reports of attacks seriously and with them, three strikes and you are out. This is the problem that
I see, more people who don't have access to a computer that they can install Linux on, but that can get Win XP install no prob (it's still WIndows), will no be able to commit the smaller attacks. Now this isn't as big a threat as Gibson's claim but it does warrant some concern since many people on the net still don't have personal firewalls.

Just my two cents. Thanks for taking a look at Gibson's article from the other angle and pointing it out, I wouldn't have noticed it on my own.
--David Leinbach

I've read both your arguments and Steve Gibson's and I can understand both points of view. My personal opinion is that Raw Sockets should be limited to root or administrators. Why make a nasty situation worse if

you can help it? There really isn't a true need for all the features of a full TCP/IP Stack for everyday internet use.

In your article you wrote:

"He shows contempt for Windows users, assuming they're all complete idiots (presumably with the circular argument that they must be morons because they're using Windows), and strongly implies that they can only
hurt themselves with a fully-featured OS."

I think the unfortunate truth is that since nearly every PC has windows on it and most people just use it as a tool they give the appearance of being "Stupid". I think it is simply a case of people not wanting to
learn things about computers on the level that we do in IT. They just want to use it and get on with life. I can relate since I really don't want to learn how our chemical engineers do their job and they don't
really want to learn how to do mine. But, the bottom line, is that you have to assume they just don't know any better and implement your systems to protect the itself. Not from stupidity, but from simple accidents. The users aren't stupid themselves and it isn't because they use windows.

If the majority of PC's had linux on them the same problems would exist. Except that *nix systems don't just give out special privileges to everyone who uses it.
--Brian Reichert

Just a quick note, a small point.

In your defense of uSoft and attack on Gibson you take the position that Gibson is over-reacting to the impending availability of raw sockets and that you are sure that the computer savey of the world are just drooling at the real power uSoft is finally going to make available to them under WinXP.

First, you and uSoft hasten to point out that anyone can easily add raw socket support to existing their OS. Then you declare that Gibson must imagine the world of computer users to be a pack of morons unable to
maintain their own system integrity. Your final conclusion is that although XP really will make it easier to personally deploy or distribute Trojans that spoof IP addresses, any new risks are minor {pish-tosh Gibson - Take a vacation}.

I am relatively new to the programming community (approx 5 yrs), I develop private company software (not for public distribution), my involvement in security issues is minimal, I use the internet primarily for personal recreation and research and I consider myself to be someone who stays reasonably well informed on a variety of current social issues and topics of personal interest. I do not consider myself an average computer user. Although I know that there are many computer people much more talented and experieced than myself, I still understand that your basic end user likes to be as ignorant about how their computer works as they are about how their T.V., radio, automobile ... hell even their lightswitch works. And with that out of the way here's 3 little words for you.

... I LOVE YOU ...

I was the entry point that allowed that simple VB Script to infiltrate my company and down its e-mail server for the day.. and wipe out megabytes worth of JPEGs and valid VB scripts, some of which were on our internet developer's machine and represented hours of lost photo-editing work... and infect quite a few machines thoughout the company which had to be cleaned. You know the profile of the person that started that fiasco. No code guru he. Just as I'm no computer moron, and yet between the two of us we did my company no small harm.

My point is that you ARE engaging in hubris when you take such a strong stand against Gibson's cautionary tale. If you admit that XP will make dDos any easier and if the intended audience is a generic personal computer user, than is it such a burden to yourself to pass up on one more included bell/whistle in XP which is so easily installed if you want/need it, so that the rest of us don't have to worry about whether we've set all our properties and configurations just so to prevent this weeks newest Trojan from incorporating our machine into some idiotic IP bashing just because we want to surf the web or e-mail jokes to our friends?

uSoft has a well established history of trying to be all things to all people. I never have any free RAM no matter how much I add. And Gates won't be happy until Windows is the only OS available in the world, so is it to much to ask that they look real hard before they take the leap for us all?

I've just read yours and Steve Gibson's articles. I have not taken anyones side. I do find it all interesting and would like to learn more about raw sockets in Windows XP.

One thing though. Steve's articles seem to be more fact based as yours seem to be based on his character & calling him loopy. I would like to see factual counter arguments. This would make Steve statements less credible (I would think). At this time, though I am leaning towards the pessimistic side - Windows XP = Security Swiss Cheese.

I would specifically like to see something about this statement of his. Which I did not see in your article anywhere or may have just missed.

[...] Because of the danger of abuse of full raw sockets, all other operating systems restrict its use to only the most highly privileged applications running with "root" privileges. But as we heard in today's meeting, the need to run Win9x legacy applications under Windows XP has forced the notion of "privilege" to be discarded and thus eliminated a crucial layer of protection. All Home Edition Windows XP applications will, therefore, be running as "root" . . . and a dangerous capability that was never meant to be globally available to all applications - and which ISN'T in any other systems which offer full raw sockets, which have retained the notion of "execution privilege", - has been made available to all applications. [...]

What is your take on the above comment?
Thank You,
--Kirk Rexin


First I would like to say that you have some nice points... but: You write "an attacker first has to compromise a number of client machines with which to packet the target system." hmmm... Remember Trin00, TFN, etc.. ??? The *nix boxes were rooted with the sole purpose of DDoS attack, what makes you think that XP machines wont be ? Look at these scenarios. If a huge site with downloads (such as those linked to by download.com) had a server rooted all executable files could "easily" be infected with a trojan. Or simple going on IRC and finding some Sub7 hosts and setting om some spamming programs and hit a huge ammount of email addresses with "a new and exiting game"

Or a "good old worm".

Do you think that all 3 of these scenarios could be avoided ?

By the way, I would very much like to hear your arguments, please reply when you find the time ;-)
Kind regards,
--Thomas Nielsen

Hello Thomas Greene,

Latetly I've been following with great interest the discussion regarding the potential Win XP threat by allowing spoofed packet attacks because of its raw socket implementation.

I share your opinion about Mr Gibson's paranoia, and his way of writing on the GRC website make them look like the CNN of the hacker community. Although, I must admit it won't help you much calling him a loony and that kind of stuff :-)

In my opinion this is more of a problem at the Internet Service Providers. I'm no expert at this but couldn't this problem be very easily solved if ISPs sat up very simple filter on each of their subnets. Such a filter could for example thrash all packets which had the following content:

- Bogus IP address of origin. This is easy to check for an ISP since they would know that all packets coming from the foo.bar.net.x should have these numbers in the "sender" part of the packet.

- Packets that are big size and low wait could be tracked. If such packets appeared on a stream they could be rejected. Although, I don't know if any "legal" type of internet service would use such a packet framwork, I don't think so.

I seems clear to me that the first of this counter measures should easily prevent packet spoofing from the ISPs customers.

Of course, there will still be thousands of compromised machines out there used as zombies for sending non-spoofed packages, but that is more a general Windows problem. At least those can be tracket down and informed.
Best regards,
--Erik Brenn

I just read your article (referred from the Gibson page), and while this is largely an academic matter to me, since I don't plan to get XP (for other reason), there are a couple of questions that didn't seem to me to be answered:

1.) What is the utility (for me) of having these "raw sockets" in my home PC? (I seem to be getting along fine without them now.)

2.) If there isn't any added utility for me, why are they there, and what is the argument against removing them (irrespective of which of you is right)?

I've heard and read a lot about whether these things are dangerous or not -- what I haven't heard is why I should want them in the first place, even if they're perfectly safe.
--Jim Girard

Hi Thomas,

I've just read your "Steve Gibson really is off his rocker" column, and in around 5 years of using the internet I have *never* bothered to write to a columnist before, but this time...

I think you have a valid point, but the real problem is more subtle. And dangerous.

Microsoft claim that "hostile code" is the real problem, and detail their efforts to prevent this. However, the statement that "... Windows XP is the most secure operating system *we* have ever delivered" (my emphasis) proves nothing. The standard is not hard to beat. The unfortunate truth is that (due to legacy problems) the raw sockets will be *much* more exposed than on another OS. And wide-spread XP will make them *much* more widely available for malicious use.

And, yes, there are a lot more "unskilled" people using Windows than other OS. This is mostly because, when people first get into PCs, they tend to pick the common format (Windows). This does not imply they are idiots. It just makes security on Windows much harder.

Anyway the "subtle" problem I mentioned is this: Windows XP will be hacked and "spoofed" packet attacks will happen. The real issue is that Gibso (an 'expert') ONLY stopped the attacks, by knowing the originating IP addresses.

In other words, with a spoofed attack, he would:-

1. NOT have been able to filter properly.

2. NOT have been able to track the attacking machines.

3. NOT have been able to locate a "zombie" to help solve the problem.

So, under a future XP attack he would have been helpless, and unable to track any of the infected machines. A future attack wouldn't be a "bit worse" but "totally destructive". And if you think, that's not too bad, since the number of infected machines will be limited, then here's the real killer: If those infected machines aren't traced, then they won't be fixed. As time goes on, more and more infected XP's will be out there - creating bigger and bigger problems. That's why the number will increase.

Even if Gibson is being paranoid, I still think giving raw sockets with less-protected access is like handing out loaded guns in the playground. Sure, everything might be fine, but WHY risk it? It's not worth it. Too many 13-year olds, might just try and see what happens if they pull the trigger.

So please, please, reconsider on what you said earlier, and encourage as many people as possible to pester Microsoft to drop this particular feature.
Many thanks,
--Mark Hopkins

Hi there,

I'm a regular register reader, and I usually agree with what I read, or find it at least reasonable criticism of whatever issue is at hand. However, I must actually sharply disagree for about the first time in reading your site's content over the past year or two...

Gibson isn't a paranoid delusional apocalyptic wanker. He is actually correct. Even if he's a bit off on the magnitude, the threat is very real and I need to correct some assumptions stated/implied in your article.

You see, I used to help run EFNet, the world's biggest IRC network for a long period of years. I ran it enough to see attacks larger and longer than most people on the net (including, until a bit ago, Gibson,
and including your staff perhaps... eep!). I also learned to step out of the spotlight and stop making myself a hard-ass target for the attacks.

The attackers hold the cards... until mafiaboy got sloppy and someone documented his little fiasco with attacking CNN, and then coolio attacked a separate large company and boasted arrogantly... nobody had
been "taken down" for LARGE scale denial of service attacks. When the largest network service providers in the world can say things like "Fuck! That's a gigabit smurf" in 1999... you have to wonder how much
worse the automaton armies of the ambitious scriptkid can be.

And, to make matters worse, the boxes involved in *those* attacks were not win32 boxes at all, but rather, a large number of unsecured linux, solaris and similar such boxes. Win32 exploits tended to cause problems here or there, but most of the uses the kids found for such hosts were related to unsecured telnet/connection proxies, not large amounts of traffic.

Getting (or even coding, with a small amount of skill or some other code to start from -- easy to get from a book or, say, the source to ping!) material to make a linux/solaris/... attack which uses spoofed traffic is and always has been trivial. It's all a documented relatively uniform API, with underlying layers implemented for various fully legitimate reasons.

Now, in Win32-land, this functionality has been incomplete by default. Given some snippets of code to do the spoofed attacking, of whatever kind, kids will have the weapons. The required counterpart in code
will be some mechanism for taking control of the machine in question, remotely. Perhaps it'll just be distributed like some viruses as an executable attachment, or maybe it'll be a buffer overflow in IE, or whatever else. Once the kids find an easy way in, people really *should* be worried.

I must directly quote and respond to snippets of your article, as well:

> From that we infer that Spoofarino will enable Netizens to test whether or not their ISP allows them to send spoofed packets to Gibson's site. We imagine that any ISP which fails to filter outbound spoofed packets will be identified for a solid public shaming.

Given the ISP could be misrepresenting, say, the fbi or the white house via spoofed packets from deep within their networks, maybe they'll stop and take a moment to care.

> It sounds like a tool with which one could generate raw packets, though probably in a controlled manner. But if that's the case, it would lay much of the ground work for an EZ malicious version leveraging the very threat Gibson is decrying.

It sure does. But his publishing this tool first doesn't make him a villian. Hiding the idea is security through very weak obscurity -- the good guys out there with a clue know it's possible, and so do the bad guys. And, presumably, raw socket code in XP will be similar to, if not conforming to the same standards as, its UNIX counterparts.

The real issue is that our country (and therefore most of the world) is not ready to deal with large-scale denial of service attacks. These attacks can and will intensify against various parties, as it will be trivial to do so, from boxes even less likely to log properly trails of attackers. The law enforcement community has been unable to cope with or care about these attacks, save cases as large as CNN and Yahoo!... and those are by far the exception to the rule. Having seen (large) attacks that lasted weeks, and having seen 100% complacent ISPs and tier one network service providers entirely ignoring the spoofing issue... people *are* in for a rude awakening.

The pain in the ass those of us on the front lines in the IRC world felt for the past five years will become more mainstream -- the kids are already branching out and finding new targets. It'll get easier and it'll get worse.

The sky is falling, the sky is falling. I need to get back to work. I hope you enjoyed my moderately coherent rant. And, for what it's worth, I work in the network software industry doing low-level development, so I have half a clue about the tech side of this stuff, too :)
--Fred Jacobs

but he'll probably write his exploit in assembler, like everything else he does, so the skiddies won't be able to use it ;-)!

--not signed


I think the tone of your story is a little off base. Steve Gibson has been able to back up his previous claims with solid evidence and proof. For example, his work on uncovering the blatant privacy violations by Real Networks and Netscape was first rate detective work.

You cannot compare relatively sophisticated users of Linux and Unix with the mostly unsophisticated user base of Microsoft Windows users. Clearly putting the raw sockets capabilility out on 10's of millions of Windows XP machines is a disaster waiting to happen. Your point that a relatively sophisticated user can add raw sockets capabilities to their Windows machines through a third-party program is irrelevant because the overwhelming majority (99 percent plus) of Window users would never do so.

Those same 99 percent will not take the necessary steps to stop their machines in being used as slaves in D-O-S attacks. Clearly Gibson is correct in his assessment that tens of millions of new machines with IP spoofing capabilities is a major new threat to the Internets stability.
Best Regards,
--Michael S. Fredenburg

You said:

"According to Gibson's paranoid delusions, everyone with a computer is a potential criminal, and the only reason the entire Net population hasn't yet exploded in some mass orgy of evil is because Microsoft has thus far refrained from unleashing the uncontrollable power of the raw socket."

I say:
Windows is a security hole, ready to vaccuum any virus or trojan that comes its way. If you read his site correctly, his concern is with the rogue programs that infect a vast number of machines called "Zombies". These programs are hiding on thousands of machines, waiting for a command from their malicious creator. When the command is is issued, they flood some poor sole's machine with bogus packets, blasting them
off the net. It is these "Zombies" that Gibbson is voicing concern about, not the individual computer users! Giving a large number of computers on the 'Net the ability to spoof packets will make it harder to trace these attacks.

You also say (About Gibbson's new spoof test tool):
"It sounds like a tool with which one could generate raw packets, though probably in a controlled manner. But if that's the case, it would lay much of the ground work for an EZ malicious version leveraging the very threat Gibson is decrying."

I say:
What groundwork? Spoofing packets using the standard sockets API has been known about for a very long time. The only thing Gibbson's tool will do is to make ISP aware of their lack of filtering. It can only help.
--not signed

I read your article, and I do see Gibson and your points. I just really believe the sentence below, shows you don't seem to get what Gibson is saying.

>>All right, we'll allow that there'll be a few script kiddies who might prefer to use their Win-XP boxes for such purposes. But they can already do so simply by installing Linux and doing a bit of reading.

It's not the point if a script kiddie is going to install Linux and get the same spoofing ability that will be available when XP comes out. He is making the point that there will be so many machines out there that are running XP the script kiddie will have his pick an be able to install a zombie and be able to DoS and spoof using that XP machine . A script kiddie will not start doing DoS attacks from his machine, even if he has Linux, they are not that dumb. You also seem to think that a script kiddie is going to go thru the hassle to install Linux and do a bit of reading. Script kiddies don't do that they just go to a web site download a program and click a button. They will not put in the effort. The amount of XP machines that are going out there on a broadband connection is going to make it so easy for a script kiddie to DoS and be harder to trace.

I do hope Mr. Gibson is wrong, but we will see. I know one thing. he is not going to win against Microsoft, they will not remove the feature and give into Gibson. Mr. Gates has to high of an ego.

Enjoyed your article.
--Robert Spinelli

Mr. Greene -

I would be among the first to opine that Steve Gibson's writing style is often way off-the-wall. And I would also be among the first to applaud Microsoft for finally implementing some feature according to commonly-accepted standards of any controlling body other than their own. Also, this being the land of freedom, I would stand behind Microsoft's right to implement this standard as a principle of free and open business. (Again, somewhat of an irony!)

I must point out, however, that there is a great deal of value behind what Gibson wrote. Having the full, standard raw-socket capability available in Windows XP will potentially result in its abuse by many more s'kiddies as well as true crackers, simply because there are so many more Windows systems in the world. And I would maintain that Gibson's assertion (http://grc.com/dos/winxp.htm#egress) that responsible filtering behavior by ISPs and domain owners is a major, essential part of the solution to preventing a significant problem. It is simply irresponsible behavior to allow messages to go out of one's domain with a source address that clearly misidentifies the sender! There can be only one reason for such a message, and those who ignore the spoofing are, and should be, equally liable for any damages caused by it.

Although you focussed on taking Gibson to task for his semi-lunatic writing style, you did not provide any ideas or evidence to refute his underlying assertion. Do you have, or have you heard of, a better solution? I'm sure many serious Internet designers and users would love to hear one, because this is a real danger threatening the Internet. If any minimally-talented person - be s/he 13- or 43- or 83-years-old - can shut down the ability of serious, responsible people to use the Internet on no less than a whim or a perception of insult, then the conclusion must be obvious. The Internet will be unusable.
Thank you.
--Tim Crichton


Is it worth mentioning (briefly at least) egress filtering that ISPs should, but largely don't, perform? That's the "ideal world" right answer to spoofed source IP addresses.

Any sensible ISP should be using standard configuration templates for their customer premesis routers, and part of that standard template should be egress filtering. If they've got a sensible database-driven-automatic-router-building widget (I'm sure there's a good name for that), then it's as easy as falling off a log.

And if you did mention this in a previous article and I've just forgotten about it, then, er, I'll get me coat.

I've been following this episode with much amusement... I'm not really sure why Gibson has got you goat, but you obviously don't think much of him - maybe its because he has a wide audience of techies. (that he can brain wash - LOL)

I use and support NT and have a vested interest in security (being an admin). Perhaps Steve has managed to manipulate my brain waves and make me believe there is a real threat from XP greater than 98/NT.

Whatever,,, malicous computer use won't go away and that is a real issue, hopefully your review will prove true, and Steves prediction won't. If a hole is shored as a result of Steve's 'maddness' then good.

Oh and by the way, are you employed my MS :) or the register.
--Jason Clarke

Just to follow up on your article:

> As I pointed out in the previous article, malicious kiddies can already take over Windows machines with Trojans like SubSeven and use them for heavy packeting without the owner's knowledge. Raw socket functionality does not in itself make a machine more or less vulnerable to such infection.

You are talking two different things here. Yes a windows machine can be infected already and that has nothing to do with raw sockets.

The attack that Gibson suffered from wasn't raw socket based but he does bring the question up of what of raw socket attacks. Prevention is better than cure, try and reduce the main cause of problems, the cause being the continual lack of adequate security in windows products

> So if packeting without spoofing is already brutally effective, why does he insist that the inability to filter XP-forwarded packets will lead to an Internet melt-down?

Actually he did put in place at his ISP, filters to collect information so that futher analysis could be done. As soon as blocking was introduced it stopped. filtering known bad clients is ok, firewalls can deal with that. advanced firewalls could do rate limiting to share the bandwidth evenly. but with raw sockets that just doesn't work anymore, the source IP can change each time how can a firewall deal with that. An ISP could implement a source IP filtering but that still allows whole subnets.

Its the same sort of thinking with the whole love-bug thing, too many people/admins insist on using virus scanner type software on MTAs. Its not thejob of the MTA to look through an email, it can, however implement policies to limit messages from the same person (like spammers or people suffering from the outlook bugs)

MS reponse to his claims are correct the facility of raw sockets isn't the problem, preventing unauthorised access to the clients machine is, however windows does not prevent the thing from happening in the first place and the fact that raw sockets are of limited use it would seem to be a simple tradeoff.

The fact that many sites don't implement suffcient routers/firewalling means that attacks like what Gibson suffered will become more common
even theregister cannot be accessed by ECN enabled equipment as one of their routers/firewalls does not follow the IPv4 rules. I would not dismiss Mr Gibson as a loony who talks bollocks without knowing the
facts, you have only looked at this from a very high level.

Personally I don't think it will be that much of a problem, namely because XP like w2k won't sell, people are getting fed up of shoddy, expensive products that have a 2 year life span.

Hi Tomas,

I certainly agree the man tends to be a bit overenthousiastic in making his point, and maybe he is indeed a bit loopy :) Still, I do think he has a point.

>As I pointed out in the previous article, malicious kiddies can already take over Windows machines with Trojans like SubSeven and use them for heavy packeting without the owner's knowledge. Raw socket functionality does not in itself make a machine more or less vulnerable to such infection.

True, that's not what Gibson is saying either. This problem already exists, and the low security in many end user window boxes is what makes this a large potential group of DoS zombies.

>Furthermore, malicious operators can already do heaps of packet damage using Windows clients without spoofing. Gibson is right that spoofing makes packets nearly impossible to filter, but filtering isn't the answer to a severe packet attack, as anyone who's had to deal with one can attest.

Maybe you should have elaborated a bit on this, as this seems to be the crucial point you are making. Gibsons whole point seems to be that filtering isn't possible anymore when all packages coming in are from XP boxes that use the raw socket implementation to spoof source. If filtering on packages isn't the solution, what is? You gave one alternative, but you also said it's very expensive. Doesn't that mean that in practise, filtering is one of the few defenses left for many websites / ISP's? I am no expert here at all, and I bet most people aren't, so if there are alternatives, it would help to elaborate on this I think. I thought that most sites filter to defend against DoS attacks.

>Gibson's attempts at filtering were rarely more than briefly effective and caused him and his ISP days of exasperation, according to his own account. So if packeting without spoofing is already brutally effective, why does he insist that the inability to filter XP-forwarded packets will lead to an Internet melt-down? Because he's loopy, that's why

Nah, that's too easy. The attack was brutally effective, and only because he was able to filter he was able to deal with it in a way and get his site back up. You also scorn that he is unable to defend himself against a mere script kiddie. That's his whole point! Most people probably couldn't defend themselves against a script kiddie either. Any kid with a bad attitude can get tools and start disabling professional websites. Granted, this is already the case. However, he was able to limit the threat greatly because he was able to filter. His point is: imagine what happens if we can't filter anymore either. That means no more defense for most websites. And a spreaded, insecure XP spreaded among millions means millions of potential, hard to stop zombies that can't be filtered. Doesn't he have a point there? Even if he's loopy? :)
Kind regards,
--Christian Vogel


I read Steve's article and think he has a valid point. Perhaps he doesn't put it succinctly having been in the middle of a war, but it's valid nonetheless. As I see it, it unfolds as:

1) A widespread O/S and applications going to the great unwashed in an unsecured state instead of locked up like a drum (force users to understand what they're doing to be able to do it - but that would hurt

2) Mavolent script kiddies without a shred of personal integrity (who should be thrashed within an inch of their miserable, worthless decrepit lives) get the bonus of their 'bots from 1) being untraceable (unstoppable)

3) Any chance of making ISPs become accountable for their users disappears.

It seems that in the current scenario, it would eventually become possible to force ISPs to disconnect identified IPs involved in an ongoing DoS attack, eventually forcing lazy users the option of becoming blacklisted (no-one will let them connect) or minding their property properly; or maybe even the software writer being shamed into doing a better job (certainly doesn't seem to be any market pressure there to force them).

Handing spoofing to lazy (malicious little b*s like these can't be bothered doing the hard work themselves) and technically illiterate script kiddies on a golden platter on the most common (not popular) and insecure platform in the world is insane.

Sounds to me like "Well, he's stealing cars. Cops can't be bothered chasing him. Manufacturers make locks optional extras. People can't be bothered getting locks for their cars and the Courts just slap their wrists if they are caught so let's do something brilliantly intelligent and just remove the licence plates from cars. After all, there's no point trying, is there?"
--Jon Burmeister

I enjoyed your article on this subject in the Register, though I think you're being somewhat unkind. From the evidence of his site, he is a little loopy, but I don't really think he's mad!

After all, I thought his detailed analysis of the DOS attack he suffered was actually quite interesting and you have to be a bit loopy to go to all that effort!

I think everyone is dancing around the whole issue. Let me take a stab at it:

1) Raw sockets will allow you to spoof what address you are transmitting from.

2) Under the most used by the masses windows OS, the spoofing ability is not native. (Or so I think -- could be wrong)

3) Statistically, most compromised boxes are Windows machines. (ASSuMEd)

4) If you have a bigger pipe than your DDOS target, then ONE machine, zombie or not, is all it takes.

This basically means that if you can zombify ONE machine at some corporate office that a nice T-3 or better connection, you can spam anyone on the net if you can burn up more bandwidth than they can receive.

How do you stop such an attach? Well if the DDOS person is sloppy, you could attempt to filter out the single offending (non spoofing) address. This usually must take place at the incoming location or at the ISP tap.

If the DDOS person is using spoofed addresses, then the addresses are all over the place. You can't filter the address. The only way I know how is to physically get someone to look at their incoming traffic patterns and try to determine who is chewing the most bandwidth. Then call the people upstream and repeat the process until you get someone very close to the source of the system. Then someone will have to cut all outbound traffic until someone physically turns off the machine.

If you want proof, how long would it take you to contact by phone and get someone to help you at each gateway/router your attack stream is hitting you from?

A quick analogy. If you worked in a water works that had zones that were controlled by other people and such areas were off limits to everyone but that one individual, how long would it take for you to find a water leak that is 16 zones away on a Sunday morning? Because you don't know which zone it started in, you only know which zone it is dumping into your zone. So you must call the other zone to have them look for which zone the flow is coming into their zone and repeat the process until the sourcing zone is found. Not getting the water flow fixed is another problem.
--Kriss H.


I agree that SteveG is being a bit of an alarmist, but I this that he is accurate in saying that raw sockets in WinXP will indeed be a huge problem.

The simple matter of all new systems after WinXP is released coming bundled with the retarded "personal" or consumer version of WinXP will mean that there will indeed be more pinheads with "raw socketable" systems out there that are too stupid to put up any defenses on these systems or even recognise when their systems have been compromised.

Remember, in North America unlike the UK, there are many morons with broadband .......
--Tony Petrilli

Hi Thomas,

Ok, Let’s try to sort this out. There are TWO points being made in Steve’s ramblings.

1) How can we stop DOS attacks from Windows machines?
2) How will Windows XP make this more or less difficult?

Point 1. "but one can already do heaps of packeting from Windows machines with SubSeven, and even launch the attack in bulk from IRC."

Absolutely correct, but Steve’s point is that EVEN NOW this should not be the case. Windows machines can currently only generate large Ping (ICMP) and large UDP packets to tie up a remote server. These packets are however filterable because they are ILLEGAL.

It is up to ISP’s to show some responsibility and filter these packets out AT SOURCE and not forward them onto the Internet, because their only possible purpose would be a DOS attack.

"Gibson's attempts at filtering were rarely more than briefly effective and caused him and his ISP days of exasperation, according to his own account. So if packeting without spoofing is already brutally effective, why does he insist that the inability to filter XP-forwarded packets will lead to an Internet melt-down?"

Firstly his ISP had no experience in filtering these types of packets. Secondly there’s a hell of lot more load when filtering packets on the router that’s trying to forward valid packets on the last leg to your site, than if they’d been stopped on the other side of the world and you were never aware of them, and thirdly see below.

Point 2. The introduction of Windows XP provides the opportunity for a DIFFERENT TYPE of packet attack, a SYN flood.

When a remote IP Client connects to a server it first sends a SYN packet. The server sends back a SYN/ACK packet then waits for a final ACK from the Client to complete the handshake and establish the connection. IF however the SYN packet arrives at the server with a SPOOFED source IP address, the host will have a port locked out waiting for the final ACK that’s never going to come. THIS IS THE MOST DEVASTATING DOS attack…

Firstly because there is NOTHING ILLEGAL about a SYN packet, it cannot be filtered. Secondly it is a very lightweight method of performing a DOS attack, a SINGLE machine with a broadband connection could easily take on large website and no amount of “load balancing and content distribution” is going to save it.
--not signed

Hi again!

I just read your most recent article concerning the windows raw packet issue again, and I thought I'd offer up a few points.

Let me start by saying I completely agree with your point that windows XP will not increase the number of PC's on the net that are compromised.

>As I pointed out in the previous article, malicious kiddies can already take over Windows machines with Trojans like SubSeven and use them for heavy packeting without the owner's knowledge. Raw socket functionality does not in itself make a machine more or less vulnerable to such infection.

Totally agree with the above paragraph.

>Furthermore, malicious operators can already do heaps of packet damage using Windows clients without spoofing. Gibson is right that spoofing makes packets nearly impossible to filter, but filtering isn't the answer to a severe packet attack, as anyone who's had to deal with one can attest. The real solutions to packeting are capital intensive, like load balancing and content distribution. Unfortunately, they're quite expensive solutions, and few besides well-heeled commercial entities can afford to put them to use.

Gibson learned that much for himself the hard way; he finally had to cry uncle to a thirteen-year-old packeteer named "Wicked", even though the kid tormenting him wasn't using compromised boxes capable of sending spoofed packets. Nevertheless Gibson - a security expert - couldn't make it stop.

I have to take issue with this. Having first hand experience in being attacked in this manner. Load balancing does nothing to solve brute force floods. All you do is get into a "my pipe is bigger than your pipe" situation. So long as your attacker has more bandwidth than you do, then he will always win if you take this approach. Distributing the attack accross multiple pipes gives you more bandwidth but nothing is solved.

The only things along this line that can help you is rate limiting (ie. limiting the number of packets/connetions per second to a given host). This can be accomplished through quality of service
devices. It still doesn't solve the problem, if you have a sufficient diversity of hosts you are still in trouble.

Gibson didn't find filtering to be effective, because frankly, he was doing it wrong. If that's his fault or his ISP's I don't know. I've read his synopsis of the attacks and I would have done things differently.

>Let's say just for fun that there's a consistent number of infected Windows machines x on the Net. There's nothing in Gibson's reckoning which affects that number. There's nothing in Windows-XP that affects it, and nothing in raw sockets either. We still have x victims out there. We've seen from Gibson's account that dealing with a packet attack in the absence of spoofing is a ghastly pain. I allow that the spoofing potential of XP raw sockets will make it somewhat more of a pain, but a bit worse than horrible is nothing to shriek about.

Let me give you a give life example of why this is more a problem than you think it is. At home I have a 10mb/s connection. Gibson has a 3mb/s connection. Therefore from my home computer I can generate more bandwidth than he can accept.

So, if I decide I don't like Mr. Gibson I can flood him with packets. If I'm just a script kiddie using a windows box then all gibson will have to do is filter 1 address and poof my attack is gone. If I am able to generate random IP's, then I can keep Gibson down for as long as it takes for him to track me, hop by hop, back to my computer.

Can I do this right now anyway? Without of the use of windows, or using libpcap, yes I sure can. I can do it with any unix unix box.

But, let us consider that unix boxen, and well, everything other than windows boxen still make up the minority of the devices connected to the net. What windows XP will do is deliver millions of new machines to the internet that can accomplish packet spoofing. This is not in dispute it's a fact.

With all these new machines that, generally, are not patched regularly, have no adminstrators, and do not take much knowledge to use. It WILL become easier to perform these types of attacks. That's just a fact.

The only thing I see here to dispute is wether or not, just because it will be easier to do, that more people will do it. I think they will.

>He shows contempt for Windows users, assuming they're all complete idiots (presumably with the circular argument that they must be morons because they're using Windows), and strongly implies that they can only hurt themselves with a fully-featured OS.

Well, let's assume for a minute that the number of idiots is constant. Since there are more windows client machines on the internet than any other type of box, we must conclude that there are more idiots
using windows. It's just strait math =)
--not signed

Dear Mr. Greene,

First a little background on myself - I am a contract developer of various network and security applications. I also design hardware and write firmware for smaller embedded devices.

While Steve Gibson may be overreacting (time will tell) to the threat that raw socket support contained in Windows XP, he does have several valid concerns. I felt that he aired those concerns quite well. Given the recent attacks on his web site, it isn't very difficult to see why these matters weigh heavily with him.

It does seem to me that perhaps you missed the gist of his concerns. So I have taken the liberty of outlining what I consider to be the most important areas (of your articles and Steve Gibson's web site) and adding my own thoughts.

- While it is true that nothing that I'm aware of in Windows XP will increase the number of zombies (or other infected machines), the zombies will be much more useful. With raw socket support the offending program will be able to mask its origin, something that only Windows 2000 could do before. Previously it was fairly trivial to locate a zombie running on an infected Windows machine (except 2000), by just tracing the source IP back. Now that the source IP can be anything, it will be much more difficult.

- Infecting an average Windows machine is fairly trivial, as most people have ActiveX and Java enabled. It just isn't that fruitful, as the average machine is easily traced back and many operate over low speed connections. However, with the ability to both spoof the source IP and generate almost arbitrary packets, even a machine with a low speed connection will be able to do significant damage.

- There is absolutely no good reason to include raw socket support in Windows XP. While I do accept that some programmers may have use for it, this could be handled by a special version of TCP/IP on a development CD.

- The argument that Unix/Linux/... has had raw socket support for a while and nothing has happened is not very valid. Many incidents have occurred as a result of this. Fortunately, the infection of these machines must usually be done in person as they tend to have far fewer security holes. Also, many of the hacking utilities and zombies are Windows based, as are many of the programmers who write these "tools".

Steve Gibson has had a long and distinguished career as a top notch programmer and genuine good guy (which is probably why so many people have come to his defense). He is sometimes a little sensational (as is The Register), but his heart is in the right place. Only time will tell if he is correct and to what degree.
--Jeff Hill

I thing the point is that spoofed packets will not be traceable. Right now Gibson can list all the IP's on his website that have attacked his site. I think he is inarticulately reasoning that if the packets are spoofed, the attackers will feel more secure and be bolder in their attacks. Guess we will just have to wait and see which is the correct conclusion.

--David Heier

In your article "Steve Gibson really is off his rocker". You said he finally gave up and had to cry uncle to wicked. I believe that after his articles he was attacked not by wicked again but by people attacking his webserver with port 80 so he couldn't block it without stopping his site. He never says that this is wicked but more likely it is actual hackers who didn't like what he did.


Thomas, (regarding Steve Gibson being off his rocker...) Steve Gibson has never said the low level sockets interface in Windows XP is going to result in more machines infected. Rather, it will make it nearly impossible to block or filter them because those legions of Win9x machines now captured by trojans will become WinXP machines able spoof their IP address.

Best Regards,

--Don Kenny

Windows XP's raw sockets implementation will encourage malcontents to allow their machines to be used for malicious purposes. A major deterrent to date has been the need to place 'zombies' on remote machines to prevent detection. With XP (or indeed as you say LINUX) , malicious users are being invited to do whatever they will undetected and undetectable.


--Paul Hanlon

I think Steve Gibson's point about the danger of XP's spoofing is that he could have not tracked his assailant if the addresses were spoofed. The machines attacking him were not spoofed, so he was able to track down zombies. This lead to getting a copy of the trojan and, eventually, finding his assailant. If the addresses were spoofed, he might never have obtained a copy of the trojan and found his assailant. Spoofing may not make DoS attacks more damaging, but it may make it harder to find the source of the attack. I don't subscribe to the doomsday fear of XP proposed by Gibson, but he has a valid point. I do think he should turn his story into a hardy boys novel, though.

--Aaron Longson

Hi Thomas,

I agree that Gibson is making a bit too much of a fuss about incorporating into an OS what really should have been there in the first place, but you are wrong to dismiss his claims that the spoofing ability of XP will not seriously increase the overall affect of DDoS style attacks. I understand your point about it not increasing the number of attacks and agree with it.

The only way Gibson was able to put a semi-stop to the attack that crippled his link was by tracking the source IP the floods were coming from and block them at his ISP level. What is now possible from an XP machine is spoofing the source IP so that even if the ISP was willing to help you in blocking an attack by tracking where the floods were coming from, the TCP header has been altered so that there is no trace of the true source address. ie there is no unique factor in the attack.

DoS programs have been able to alter destination address, dest. port, datagram size for ages all making it harder to selectively block unwanted traffic, now source port (from a Windows box) is not distinct either.

Hopefully 2 things will stop Steve's end-is-nigh predictions of coming true:

XP will actually be less hacker friendly than previous MS OSs; ISPs will do the responsible thing and put in place measures to not stop customers being able to spoof. Most edge routers/ termination devices available for broadband have this functionality. This second point is crucial and possible. Any decent net-eng worth hs salt should be ashamed if he hasn't got anti-spoofing configuration to stop his customer's being naughty.

I have a picture running through my head of an ORBS style blacklist for ISP networks where telco's would basket any packets from certain ISPs if a thrid party said they didn't have anti-spoofing deployed.. hahah.

Phew, that was a bit of an effort.
--Simon King

HI Thomas,

I read your articles and find them informative, Thanks for the effort. I conceed that Steve didnt need to use so much bold and colour in his statement, but I hardly think that is a worthwhile point to labout over. I also feel from your tone in the article that you arnt impressed with steve at all, and think to put him in the Alarmist category , which I must disgree with you.

Steve's point is that Windows XP will make the situation worse. you conceed that much. This is the thing ! Microsoft are making the situation worse rather than better. Not a good move. (Btw I dont have a problem with microsoft beside thinking they could do more to improve security.)

You state : "Gibson is right that spoofing makes packets nearly impossible to filter.but filtering isn't the answer to a severe packet attack, "
Thats right it isnt the answer BUT its all we've got at the moment for protection, for Temporary protection, and you advocate taking this away.
Microsoft's answer, "its not raw sockets thats the problem, its the malicious code" harks of buck passing since its their systems that are so open for compromise in the first place.
--Cameron Jiggins


I was interested to read your comments on Mr. Gibson's essay. I have read the entire article Mr. Gibson has up on his website, and I have read two of your commentaries.

I dont desire to 'flame' you, but I, for one, am disappointed in the way you appear to dismiss Mr. Gibson's assessment of the situation.

My opinion: you both have valid points, but you both are overly hyperbolic. No doubt you are right that the # of vulnerable boxes will not be altered by XP, but Gibson is also right that it is ridiculously easy to sabotage Windows boxes, because, yes, in fact, most Windows users *are* idiots, at least with respect to knowledge of implementing firewall software etc.

This is not an insult per se to Windows users, just the result of its massive user base, and the reality that 95% of users understand less than 10% of the system they are using. Most people *still* cant figure out even half the features of their VCR, after all. Most people dont care and dont want to know. Nor *should* they need to know.

In my opinion, Gibson is right to sound the alarm as radically as he does. Especially as MS continues down the road of less security for Windows, as in the now infamous design flaw where all defaults are set to maximum insecurity, etc.

I wish you would spend more time echoing the call for concern over this issue that Mr. Gibson is raising, instead of so rudely dismissing his skillful efforts at revealing the dangers out there.

The Bottom Line remains, as Mr. Gibson asserts, that any 13 year old can bring down most any website with impunity, and nothing is being done about it. It would seem this is a very very serious issue, and I think Mr. Gibson will be hailed in the future as a prescient voice in the wilderness.

I am sorry to say it, but the attitude of your commentary comes off as a reaction to another's genius. A few more paragraphs reinforcing the Mr. Gibson's assessment of the reality of the problem would help everyone, whether or not you agree with his hyperbole.

anyway, thanks for keeping the issue alive!
take care
--not signed

Dear Thomas,

Steve may have been over reacting somewhat with his outlined tables and huge multi-coloured text, but there are some differences between what you're saying and what he was on about.

Your article says: "Raw socket functionality does not in itself make a machine more or less vulnerable to such infection" but what he was saying was this: Once a machine is infected, that compromised machine can be used to do more damage if it has raw socket functionality. So assuming that the same number of XP machines are infected as Win98 machines are, those XP machines can be put to more mischievous use.

His rationale for saying that is based on his experiences with the DOS attacks on his site. The first few were normal Win98-style attacks and
after some sleepless nights he managed to block them all off. Then he was attacked again, this time with spoofed packets and there was nothing he could do to block it. Not being a network security expert, I don't know if he was right one way or the other but that's what he based his rant on - not on whether the XP boxes were more vulnerable than the Win98 ones, but on the fact that he thought that if they are vulnerable then they're more dangerous.

You've probably had plenty of emails about this stuff already but I felt like not working for 5 minutes so I sent one too ;-)
--Stephen Tjasink

I've read both your articles, and I think both of you are a little whacked...

Mr. Gibson is concerned about security - it is his job and passion (mine is UI development - to each his own). His concern comes from the fact that there are few good ways to stop an attack other than filtering. This needs to be done at the ISP level and few owners could do anything OTHER than block specific IP addresses. They (the ISP's) often do not have the technical knowledge and/or facilities to accomplish more. By being able to spoof the IP address you completely remove this defense. My first defense in an auto accident is my seat belt. I may have more (like an air bag), but that first device does a lot towards saving my life.

Your concern or point (not sure which) is that Mr. Gibson is over reacting - that this new version of XP will not pose any greater threat than other versions of Windows. In part you are correct - all the
versions of windows are pretty susceptible to virus's and being taken over.

Please consider the market. As of this date, most Windows users that have choice and are knowledgeable are running Windows 2000 because of its stability. This same group tends to run virus scanners and be
careful about what they open. Certainly not perfect people, but better educated in computer use than the mass of people that buy a computer to do email, play games and let their kids use the computer with no
supervision at all. Many (most?) do not have a virus scanner and they probably wouldn't upgrade to XP if it were free. The only way XP is going to popular is with new computers because it comes "free" with the

I see no reason to upgrade to XP, nor do most people I know. I see the current slump in computers continuing and because of that slump, XP will be a failure. I would be interested in numbers for installed computers with ME and how many people upgraded (darn few I bet). Dell, Gateway and others can't even give their computers away - people are just not interested. Because of this lack of interest in XP, I agree Mr. Gibson is overreacting - but as a security expert he has to deal with potential threats and act accordingly. If he did not, he would be betraying his profession.
--David Stidolph

H i Thomas,

I read your two articles ridiculing Steve Gibson's concerns regarding raw sockets support in Windows XP with much interest. All valid points, I am sure Anyway, I have read both sides of the argument, and I suspect they both have some merit. Can I just point out one thing that Steve Gibson stresses, and which AFAIK none of his detractors has properly addressed: despite the rights or wrongs of his "rant", just what good *are* raw sockets to an end user like me? Not a techie or a software developer, but a user like me?

Is there something that Microsoft has planned for Windows XP that needs raw sockets to do it's "thing"? Or is it just to make life easier for the software developer? If the former, then they should tell us. If the later, well, no, think again - it should be taken out and a techie can just go and install winPcap and do their thing on their own machines and leave the rest of us alone.

I think the absence of this information from the anti-Gibson camp is a real disservice to this debate. If Microsoft is putting raw sockets in because it is needed for me and my other computer-users, well, fine - but they (or you?) should tell us what it is. If they are only putting it in because they can, and so they can say "me-too" to all those Linux boxes - well - that is faintly ludicrous and completely arrogant.
Any thoughts?

Just wondering if you had seen Steve's page at

http://grc.com/dos/xpconference.htm where he takes a stab at you guys. A little name-calling now going back and forth? I think you struck a nerve with him! He may be overreacting, but he makes some well-reasoned arguments, you have to admit.

--David Parker

I can surely guess that the more articles both you and Gibson put out will speed the "development" of DOS attacks. Hackers will always be after the recognition, claiming rights, and the need to prove you wrong (or right as in Gibson's case).

One thing you didn't address in your Register article, and something I haven't seen explained elsewhere, is some sort of rationale as to why "raw sockets" support should be implemented at all in the OS.

Of what possible benefit is this feature? Why should a net-friendly OS permit its identifying IP address to be "spoofed" in the first place?

Although the Microsoft response to Gibson claims that his case is overdrawn, it makes no mention of why the OS should support this "feature", or what benefits it might offer. I can't think of any, but I'm not a security expert.

Perhaps you could do a follow-up on this aspect of the controversy.
--Gary German

Today, I received Steve Gibson's latest newsletter.In it, he points up a conversation he had with M$ techies. Included in this article, located at http://grc.com/dos/xpconference.htm , he states:

But, my protestations are falling on deaf ears at Microsoft. And thanks to many other loud and equally security-ignorant voices which are attempting to confuse the industry on this topic, Microsoft shows no intention ofresponding to this now very visible threat.

In his article, of course, "loud and equally security-ignorant voices" is a link, pointed to your article at http://www.theregister.co.uk/content/4/19925.html .

I would LOVE to see a pissing match here. :)
--Nick Walters

No flame Mr. Greene - just a note: since Steve Gibson does have an international reputation as a fellow who generally knows what he's talking about and since few if any know of your reputation for other than ridicule (or did Microsoft's Execs ask you also to attend a private meeting?), why don't you write another article on your background, level of knowledge, publications, citations for work well done, etc.. Then, perhaps most of us could attend your rants with a different perspective.

--Cordially, Tom

Instead of slagging off someone who cares about and understands security, it may be worthwile trying to understand him.

You position seems to be that the Net cannot be attacked successfully for any longer time, for some unspecified reason.

Almost all computer users haven't got much of a clue about security, which doesn't make them idiots, but makes us right in being worried.

It is hard to understand your reluctance to face up to the reality of the security problems on the Internet. Do you believe that someone has already thought of all the security problems, and there is no need to improve and monitor the security aspects of the Internet?

I can only assmue you don't like Steve's assertiveness -which in my opinion stems from a very good understanding of the technical issues. MS is not going to listen to a quiet "excuse me", so I believe
Steven's tactics are OK.

BTW, just because this security problem is not the ONLY one, and perhaps won't lead to meltdown, it doesn't mean it is not worth doing something about.

Dear Thomas,

I also like to give my view on the matter of Steve Gibson's claims about WinXP's raw sockets.

First of all, some facts that we already know:
- A majority of the people on the Internet don't know a damn about security. They also don't care about them, even after you show them the danger right in front of their faces. (Believe me, I tried.)
- Many script kiddies out there don't actually know much about coding (or the technical details). They are, however, very resourceful. They know where to download other people's code and modify the variables to suit their needs. (Since they don't know the codes well, they can cause non-working programs after modifying them. This can be seen from many macro-viruses.)

- Most script kiddies own a Windows machine. Why? Because they can't be bothered learning Linux. And Linux is nowhere near as user-friendly and easy-to-use. It's also not as fun.

- Kids like to make friends with those who share common interests with them, those who are fun, or those with the same taste with them.

Continue Reading

3 Big data security analytics techniques

More from The Register

next story
Spanish village called 'Kill the Jews' mulls rebranding exercise
Not exactly attractive to the Israeli tourist demographic
Sleuths find nosy NORKS drones on the Chinternet
UAVs likely to have been made in the Middle Kingdom
Oz bank in comedy Heartbleed blog FAIL
Bank: 'We are now safely patched.' Customers: 'You were using OpenSSL?'
Och aye! It's the Loch Ness Monster – but only Apple fanbois can see it
Fondleslab-friendly beastie's wake spotted... OR WAS IT?
Dorian Nakamoto gets $23,000 payout over Bitcoin invention saga
Maintains he didn't create cryptocurrency, but will join community
Japanese boffin EYES up big bucks with strap-on digi-glasses
AgencyGlass saddles user with creepy OLED display
Forget the beach 'n' boardwalk, check out the Santa Cruz STEVE JOBS FOUNTAIN
Reg reader snaps shot of touching tribute to Apple icon
Happy 40th Playmobil: Reg looks back at small, rude world of our favourite tiny toys
Little men straddle LOHAN, attend tiny G20 Summit... ah, sweet memories...
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.