|
|||
Is WinXP's TCP/IP socket implementation the greatest danger the net has ever known? Gibson says yes, Rosenberger says no. Actually, they're sort of both right. Rosenberger is correct when he says that a WinXP machine will be no easier or harder to infect than one running some other operating system, and that any machine can become infected with a trojan, and that any machine can become part of a distributed denial of service attack. Gibson is correct when he says that such an attack launched using WinXP machines will be more dangerous. (Gibson is an old-time Mac user who has never fully trusted Microsoft. He glosses over the fact that Linux has had raw sockets for a long time, for instance, and that a DDOS launched from Linux zombies would be just as deadly.) It doesn't actually take all that many zombie systems to seriously foul some sites with a DDOS; a few hundred slaves are enough to take down a site running a couple of T1's, such as Gibson's own. But if the zombies are (for instance) Win98 or Win2K systems, then their IP addresses are included in the packets they contribute to the flood. That means that it becomes possible to set up firewall rules to eventually choke off the attack from each such machine. It's slow and painful but it can be done. A versatile attacker might have more than one string of zombie machines which could be used for a re-attack, and then it would be necessary to go through this exercise again. But it can be blocked, so a DDOS attack using zombie Win98 or Win2K machines will only be a temporary annoyance. And it's easier to set up a firewall rule than to acquire another zombie. When the zombies are running WinXP, it won't be possible to stop a DDOS with firewall rules, or with any other kind of blocking tool I know of. It is true, as Rosenberger says, that the trojans won't ignore or refuse to use older systems. But they could (and probably will) be written so that if they happen to be on a WinXP machine then they'll take advantage of the extra capability. What this means is that instead of their packets contributed to the flood always having an honest IP as a return address (which could be blocked in a firewall), they'll contain random numbers for the IP address. That means that there won't be any way to explicitly block them in a firewall without shutting down the service they're trying to reach (e.g. port 80==http), which isn't practical. Therefore, instead of an attack making a server inaccessible for a few hours (until firewall rules could be updated) it would stay unreachable until the attacker relented. But the answer to this is not to demonize Microsoft for fully implementing TCP/IP in WinXP. The answer is to work harder on making the OS and its apps less susceptible to execution and installation of trojans. (For instance, HTML-encoded email needs to execute in a sandbox.) (discuss) |