The Raw Packet Panic, 2001-07-04
The simple lesson of Linux: Do your job right, and nobody gets hurt.
“
Does this mean that Linux is an insecure operating system, one to be shunned along with Windows XP?
”
It seems so right and so obvious that it's hardly worth a second thought: there are two kinds of people in the world, and if one group were like the other, everything would run like it was supposed to. That's not to say it would be easy: it can be tough to Do Your Job. It can be time and energy intensive; it can be politically difficult, and you might risk offending your colleagues. But if you Do Your Job everyone will be better off in the long term.
Recently, Steve Gibson, president of Gibson Research Group,
He warned, however, that Windows XP's ability to use raw sockets -- totally arbitrary packets, in essence -- would allow attackers to send packets with spoofed source addresses and thus would eliminate his ability to track down denial-of-service attacks in the future. Microsoft disputed his claims.
Far be it from me to question Gibson's credentials as a security expert, but in this case Microsoft is (however abstractly)in the right. Raw sockets aren't the problem. If fact, they may be necessary for reasons that Gibson and I are unable to predict at present. Advanced clustering systems might rely on them to make packets appear from a virtual system, for example.
Linux and Unix already offer raw sockets. Only the root user has the ability to generate these packets, and if Windows XP does not similarly restrict the ability to use raw sockets, then Gibson can properly complain that Windows is not doing its job. But the feature itself simply brings Windows in line with what Linux and Unix have been doing for years.
Gibson charges that Windows XP's ability to use raw sockets is not comparable to the Unix equivalent, primarily because there are so many more Windows systems on the Internet to compromise and use as attack platforms. I disagree. There are enough Linux systems on the Internet to compromise and use as attack platforms right now: Steve Gibson may not be on the sharp end of the stick, but I'm seeing attacks using spoofed packets directed at systems on my network right now. In fact, on a daily basis I see packets whose source address is ostensibly 255.255.255.255, the global broadcast address for every system on the Internet. Obviously, these packets are spoofed, and just as obviously they originate from a Linux or Unix system.
Fortunately, my routers do their job: packets with bogus source addresses, when they can be identified as such, are dropped. Outbound packets with source addresses that do not belong to my network are obviously spoofed, and are dropped too. If everyone's routers did their job, spoofed denial-of-service attacks would not be a substantial problem on the Internet.
As my experiences show, there are any number of systems on the Internet that are compromised, that do not run Windows, and can be used to launch denial-of-service attacks with spoofed IP addresses. Speaking statistically, most of those systems probably run Linux. Does this mean that Linux is an insecure operating system, one to be shunned along with Windows XP?
Absolutely not. Linux is as secure as any other operating system: if the administrator does his (or her) job, problems are unlikely; if the admin doesn't do his job, the consequences will be disastrous regardless of the underlying operating system. What are the admin's duties to keep a Linux system secure? Roughly, they're to turn off all unnecessary or unused services; to keep patches on the system very current; to read appropriate mailing lists for security updates; to read logs; and to otherwise monitor the system and look for anomalies. Administrators who keep a close watch on their systems rarely have security problems. Just Do Your Job.
The power of Linux to do dangerous or occasionally incorrect things -- when using root privileges, at least -- is also the power to adapt over time and the power to have the system act as I wish it to.
This is one reason that I use Linux: it gives me the ability to do my job, whatever that job is. And so long as I do my job, maintain the network,and properly maintain the system, nobody will suffer for it. No matter what operating system I run.
