Microsoft Cripples XP for Security

Thomas Ptacek | April 28th, 2005 | Filed Under: Uncategorized

On Slashdot, citing a story on ZDNet, and uproar about Microsoft “crippling” WinXP (disabling raw packet generation) to “stop DDoS attacks”.

Unlike, uh, everyone I can see talking about this, I don’t think Microsoft’s approach is entirely idiotic.

On the one hand, there’s no such thing as a “hard” or an “easy” attack when it comes to exploits and attack tools. Consider two use cases:

  • User double clicks installer, then selects menu item to launch attack tool coded to use raw sockets to generate a SYN flood.

  • User double clicks installer, then selects menu item to launch attack tool coded to install a raw packet driver to generate a SYN flood.

On the other hand, this move isn’t really about preventing users from installing DDoS tools, it’s about preventing malware from creating DDoS zombies. When your programming environment is a string of hex characters that can’t include the number zero, and one of your major objectives is to minimize the amount of data that has to move between machines (to speed up propagation), having to install a kernel mod seems like a drag.

So:

  • The XP change does very little to change the lives of people who use raw packet tools to do their jobs (they’ll use tools built on kernel drivers, rather than raw packets, which is what they should be doing anyways).

  • The XP change is a pain in the ass for people writing malicious code.

It seems like a minor win; maybe it’s not a win at all, and Ivan Arce or DaveAitel will show how to generate exploits that trivially bypass this protection. But I don’t see much of a downside.

No comments yet. Be the first.

Leave a reply