Microsoft tries to quell TCP/IP 'danger'

The company was responding to claims by a well-known security expert known only as "Fyodor" that by repeatedly disabling the ability to send TCP/IP packets via "raw sockets", Microsoft was asking the security community to "pick their poison": either cripple their operating system or leave it open to hackers.

Raw sockets are a feature of operating systems that use the TCP/IP protocol on which the Internet runs. Security professionals rely heavily on the feature as it allows them to bypass certain controls to create more customised TCP/IP packets and analyse Internet data.

"Supporting packet sends from simple user-mode raw sockets makes it entirely too trivial for compromised systems under control of hackers to launch massive distributed denial of service attacks," Microsoft warned in a statement to ZDNet Australia .

"MS Blast did this by using raw sockets to launch a huge TCP SYN attack against Microsoft," it added.

TCP SYN packets can be used along with fake IP addresses to flood a target and deny it access to network services.

Admitting that a recent security patch had intentionally disabled a community-developed workaround to Microsoft's TCP/IP changes -- which was first implemented in Windows XP Service Pack 2 -- the company claimed it had received little negative feedback on the issue.

In addition, the software giant said only a small number of programs were affected by the change: "The only applications that care deeply about the ability to send over raw sockets are enterprise security applications that use 'fingerprinting' techniques to characterise a host on the network based on its response to carefully crafted packets."

Consequently, the company has restricted access to raw sockets in desktop versions of its software, but not on servers.

Microsoft also encouraged desktop users to use approaches that didn't rely on access to raw sockets, and said that it garnered support for its changes from "all the commercial makers of such applications".

Fyodor, who is also the author of Nmap, a non-commercial network scanning tool that uses raw sockets extensively, previously said he didn't believe Microsoft's reasons for the changes were genuine.

In an e-mail told his 23,000-strong mailing list, he said Windows was the only operating system with the raw sockets restriction.

"Microsoft claims the change is necessary for security," Fyodor said. "This is funny since all of the other platforms Nmap supports (eg Mac OS X, Linux, the BSD variants) offer raw sockets and yet they haven't become the wasp nest of spambots, worms and spyware that infest so many Windows boxes."

The company is expecting further debate on the issue, it said, even going to the extent of forecasting typical counter-arguments to the TCP/IP changes. One example cited was "worms/viruses can just install a kernel-mode driver that would still allow denial-of-service attacks to be carried out."

It also pointed out that "writing and installing kernel-mode code is vastly more complicated" than using an existing raw socket feature, and that if malware did make it into the kernel of a Windows machine, the user would have more serious concerns than just SYN attacks launched from their machines.