Swimming with the Razorfishes

Sunday, August 15, 2004

It appears that Windows XP SP2 removes the ability to send data over SOCK_RAW type sockets. Previous versions of XP restricted access to accounts with Administrator privileges. Because almost all accounts on Windows systems end up getting admin privileges, most accounts were able to access raw sockets. This was something about which Steve Gibson went bonkers a while ago, and was then the target of much derision when the internet didn't grind to a halt with DOS attacks.

The irony of Microsoft's move to remove raw support is that it makes the OS a less-capable platform for launching attacks, but also makes it a less-capable platform for defending against attacks. Tools that use RAW sockets for scanning and detection (nmap, parts of Winpcap, certain firewalls) will be broken under SP 2. Passive tools (sniffers, monitors) still have access to RAW sockets; tools that need to send data are broken. Most broken tools should be able to work around this removal.

An interesting choice.


Post a Comment

Links to this post:

Create a Link

<< Home