Raw Sockets CS480 b Dick Steflik Raw Sockets

Raw Sockets CS-480 b Dick Steflik

Raw Sockets

Raw Sockets • Raw Sockets let you program at just above the network (IP) layer • You could program at the IP level using the IP API but you can’t get at ICMP • Raw Sockets expose ICMP • you get a Raw Packet and populate the entire packet yourself • for high level protocols like TCP and UDP you lose all of the functionality implemented in those layers – choosing to use a Raw Socket must be weighed carefully • Raw Sockets can be dangerous • Raw Sockets can be against the law • http: //www. kumite. com/rsnbrgr/rob/grcspoof/cnn/

Limitations • Loss of Reliability • No ports • Non Standard Communications • No automatic ICMP • No Raw TCP or UDP • Must have root (or administrator) privilege

When to use • When you need to control the IP header • applications like Ping and Traceroute • not all fields can be set using the IP APIs • Network Address Translation • Firewalls • When your application requires optimum network speed • one level above the Link Layer • if you need reliability, you must build it into your application

Windows and Raw Sockets • Win. Sock 2. 0 - November 2001 • raw sockets for NT and W 2000 • must run as administrator • Win XP • Professional - raw socket functionality restricted to administrator users • same level of access as UNIX / Linux – but first user created has administrator rights - if this is being used on a home machine most users would be running as administrator all of the time leaving their machine possibly open to being hijacked • Home - will eventually become the predominant OS • is not supposed to have raw sockets • Internet Connection Firewall (ICF) attempt to fix problem • but only blocks incoming traffic; all outgoing traffic permitted • hacker can install a trojan horse that installs a zombie that just sits and waits to become part of a DDo. S attack on someone

Windows and Raw Sockets • Win. Sock 2. 0 allows windows programmers to build advanced applications • Firewalls • Network Address Translation • Packet Filtering • SYN Flood protection • Security • IPSec support • VPN Clients • Network Administration • Packet Sniffers/Analyzers • Pathway Analyzers (ping and traceroute)

Possible Motives • With a possible expansion of DDo. S attacks • could make TCP/IP look unstable and undesireable • MS could be waiting in the wings with a replacement technology to replace TCP/IP (Robert X. Cringely, author) • proprietary (TCP/MS) – bad for us; good for MS

Countering Raw Sockets Attacks • Egress Filtering - verifying that all packets leaving a network are really from that network • at network edges/borders • Locking Down Raw Sockets • Raw Sockets Disabler and Socket Lock have been demonstrated to disable raw sockets usage in host machines where they are installed • IP v 6 • IPv 4 is susceptible to address spoofing, IPv 6 is not