Lead with Knowledge

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

Home  //  Article
Print Article    Email Article
Window Manager
Brian Livingston
Windows XP and DDoS

IF YOU THINK the Internet is wild now, security pro Steve Gibson says it's nothing compared to the problems that will ensue if Windows XP is released in its current form.

Gibson knows whereof he speaks. He's the president of Gibson Research Corporation (, developer of the disk utility SpinRite, and author of the free Windows security test known as Shields Up.

His latest discovery came after his Web site was totally knocked off the Internet for days at a time by a single hacker who claimed to be 13 years old. Gibson's efforts to recover from the hack attacks convinced him that the Internet sites of even the largest Fortune 500 companies are vulnerable to going dark in the same way. And, he says, the situation will become much, much worse if Windows XP is released the way it's presently designed.

Pulling the legs off the Internet spider

Gibson's Internet service provider, Verio, is connected to the Internet backbone using industrial-strength, 100Mbps fiber-optic lines. His Web site, in turn, is connected to Verio by two T1 trunk lines. These lines provide a total of about 3Mbps of throughput in each direction.

Last month, Gibson's site became completely unresponsive to visits from users. The cause, as Gibson explains in a lengthy analysis (see, was a teenaged hacker who had launched a massive DDoS (distributed denial of service) attack. After exchanging e-mail with the hacker, Gibson found that "he was like a child pulling the legs off a spider to see what it would do."

To orchestrate DDoS assaults, a hacker first installs "cable bots" on computers that have cable or other high-speed modems but that lack adequate firewalls against intrusion. These bots are then instructed to send massive amounts of data to a victim's site. Gibson found that bots running on just 474 Windows PCs worldwide were enough to completely overwhelm his two T1 lines.

After 17 hours of agony, the initial attack was defeated because the "zombie" Windows 9x PCs were only able to send IP packets using valid IP addresses. A Verio engineer was finally able to filter out such packets before they clogged GRC's T1 lines. The attacks later continued in various forms.

The danger, Gibson asserts, is that Windows XP will add the ability for any application to send packets bearing faked IP addresses. There's no perfect way for a Web site to defend itself against such a flood, because you can't distinguish the incoming hacker traffic from the ordinary customer traffic. Gibson is alarmed about XP's new capability, saying, "There's absolutely no valid reason for any machine on the Internet to be able to lie about its return address."

Microsoft's response

Steve Lipner, manager of Microsoft's Security Response Center, says Gibson is a smart guy, but "the key issue is the ability of a hostile person to get a [rogue] program on your system." Lipner says XP will be less, not more vulnerable to hackers who want to plant Trojan horses on Windows PCs.

He confirmed that Windows XP will have a new capability called Raw Sockets, an old Internet spec that already exists in Windows 2000 and Unix machines. Raw Sockets can put out data packets with faked IP addresses. This was proved when Yahoo and other major sites were brought down by Unix zombies in highly publicized attacks in February 2000. But Unix servers usually have trained administrators, many of whom have taken steps to prevent a recurrence.

Most home users of Windows XP will have no security training, of course, so Lipner says two new features will make XP less vulnerable than any previous OS.

* Personal Firewall. When Windows XP is used to connect to the Internet the first time, a wizard will say, "Do you want to run the Personal Firewall?" The "Yes" button will be selected by default. Unless the user clicks "No," the firewall will guard against rogue programs sending out data.

* Software Restriction Policies. This is "a mechanism that allows you to control what code from what sources you'll allow to run on your machine," Lipner says. "We're still looking at what to do to implement that using Windows Updates." When I asked whether or not the restrictions would be off by default unless Windows Update defines stricter policies, Lipner replied, "I'm saying that that's an area we're looking at."

He added, "I've talked with folks here who've implemented IP spoofing in Windows 3.1," and XP won't make it worse.

Fixing the demon before it gets out of the box

Gibson strongly disagrees and feels Raw Sockets should be removed from XP, or at least restricted to use only by system-level drivers, not applications. "Lying about your return address is only useful for attacking," Gibson says. "Microsoft could alter the Raw Sockets spec to remove this ability."

Internet users have suffered huge financial losses from Microsoft's decision to allow e-mail messages to run as "trusted" code. This gave rise to fast-spreading viruses such as Melissa, I Love You, and many others. As a result, I don't believe Windows XP should be delivered to consumers unless all of its security restrictions are turned on by default and its ability to bring down Web sites using faked Internet addresses is removed. An Internet in which shutting down any Web site is child's play isn't an Internet we can rely on.

Get Livingston free via e-mail

Go to and click "Window Manager" or "E-Business Secrets" to receive either of Livingston's weekly columns free via e-mail.


Business News
Operating Systems

SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Article Print Article    Email Article
Back to Top


Gateway: Your Reliable IT Provider of Business Technology Solutions
Learn to secure your PCs from new and unknown hacker attacks.
Get FREE Hurwitz Report: Control Your App Dev Costs with TogetherSoft!
Click here to receive a FREE Success Kit from Oracle.

E-mail Newsletters
InfoWorld Mobile
Print Magazine

Web-based training

Copyright 2001 InfoWorld Media Group, Inc.