Digg this story   Add to del.icio.us  
The Raw Packet Panic
Jon Lasser, 2001-07-04

The simple lesson of Linux: Do your job right, and nobody gets hurt.

My friend Joe is fond of saying that everything in the world would work smoothly if everyone would just follow a single, simple rule: Do Your Job.

It seems so right and so obvious that it's hardly worth a second thought: there are two kinds of people in the world, and if one group were like the other, everything would run like it was supposed to. That's not to say it would be easy: it can be tough to Do Your Job. It can be time and energy intensive; it can be politically difficult, and you might risk offending your colleagues. But if you Do Your Job everyone will be better off in the long term.

Recently, Steve Gibson, president of Gibson Research Group, wrote about a denial-of-service attack that hit his network hard. Fortunately, the attackers used less-competent tools, and he wasn't confronted with spoofed IP addresses, 'smurf' attacks, or the like, and he was eventually able to stop the assault.

He warned, however, that Windows XP's ability to use raw sockets -- totally arbitrary packets, in essence -- would allow attackers to send packets with spoofed source addresses and thus would eliminate his ability to track down denial-of-service attacks in the future. Microsoft disputed his claims.

Far be it from me to question Gibson's credentials as a security expert, but in this case Microsoft is (however abstractly)in the right. Raw sockets aren't the problem. If fact, they may be necessary for reasons that Gibson and I are unable to predict at present. Advanced clustering systems might rely on them to make packets appear from a virtual system, for example.

Linux and Unix already offer raw sockets. Only the root user has the ability to generate these packets, and if Windows XP does not similarly restrict the ability to use raw sockets, then Gibson can properly complain that Windows is not doing its job. But the feature itself simply brings Windows in line with what Linux and Unix have been doing for years.

Packet Protector
Gibson charges that Windows XP's ability to use raw sockets is not comparable to the Unix equivalent, primarily because there are so many more Windows systems on the Internet to compromise and use as attack platforms. I disagree. There are enough Linux systems on the Internet to compromise and use as attack platforms right now: Steve Gibson may not be on the sharp end of the stick, but I'm seeing attacks using spoofed packets directed at systems on my network right now. In fact, on a daily basis I see packets whose source address is ostensibly 255.255.255.255, the global broadcast address for every system on the Internet. Obviously, these packets are spoofed, and just as obviously they originate from a Linux or Unix system.

Fortunately, my routers do their job: packets with bogus source addresses, when they can be identified as such, are dropped. Outbound packets with source addresses that do not belong to my network are obviously spoofed, and are dropped too. If everyone's routers did their job, spoofed denial-of-service attacks would not be a substantial problem on the Internet.

As my experiences show, there are any number of systems on the Internet that are compromised, that do not run Windows, and can be used to launch denial-of-service attacks with spoofed IP addresses. Speaking statistically, most of those systems probably run Linux. Does this mean that Linux is an insecure operating system, one to be shunned along with Windows XP?

Absolutely not. Linux is as secure as any other operating system: if the administrator does his (or her) job, problems are unlikely; if the admin doesn't do his job, the consequences will be disastrous regardless of the underlying operating system. What are the admin's duties to keep a Linux system secure? Roughly, they're to turn off all unnecessary or unused services; to keep patches on the system very current; to read appropriate mailing lists for security updates; to read logs; and to otherwise monitor the system and look for anomalies. Administrators who keep a close watch on their systems rarely have security problems. Just Do Your Job.

The power of Linux to do dangerous or occasionally incorrect things -- when using root privileges, at least -- is also the power to adapt over time and the power to have the system act as I wish it to.

This is one reason that I use Linux: it gives me the ability to do my job, whatever that job is. And so long as I do my job, maintain the network,and properly maintain the system, nobody will suffer for it. No matter what operating system I run.



SecurityFocus columnist Jon Lasser is the author of Think Unix (2000, Que), an introduction to Linux and Unix for power users. Jon has been involved with Linux and Unix since 1993 and is project coordinator for Bastille Linux, a security hardening package for various Linux distributions. He is a computer security consultant in Baltimore, MD.
    Digg this story   Add to del.icio.us  
Comments Mode:
So true 2001-07-05
freakazoid
right on, Jon. 2001-07-05
phil.hall@vgm.com
Who is Admin for "home systems"? 2001-07-05
Marvin Greenberg
Raw Sockets 2001-07-05
DF
You are missing the point 2001-07-05
Drew <achi@mitre.org> (1 replies)
You are missing the point 2001-07-05
EDiT (1 replies)
You are missing the point 2001-07-05
Drew
gibson's point, that you missed 2001-07-05
Brian (1 replies)


 

Privacy Statement
Copyright 2010, SecurityFocus