Transcript Raw Sockets
Raw Sockets
CS-480b
Dick Steflik
Raw Sockets
Raw Sockets
• Raw Sockets let you program at just above the network (IP)
layer
• You could program at the IP level using the IP API but you can’t get
at ICMP
• Raw Sockets expose ICMP
• you get a Raw Packet and populate the entire packet yourself
• for high level protocols like TCP and UDP you lose all of the
functionality implemented in those layers
– choosing to use a Raw Socket must be weighed carefully
• Raw Sockets can be dangerous
• Raw Sockets can be against the law
• http://www.kumite.com/rsnbrgr/rob/grcspoof/cnn/
Limitations
• Loss of Reliability
• No ports
• Non Standard Communications
• No automatic ICMP
• No Raw TCP or UDP
• Must have root (or administrator) privilege
When to use
• When you need to control the IP header
• applications like Ping and Traceroute
• not all fields can be set using the IP APIs
• Network Address Translation
• Firewalls
• When your application requires optimum network speed
• one level above the Link Layer
• if you need reliability, you must build it into your application
Windows and Raw Sockets
• WinSock 2.0 - November 2001
• raw sockets for NT and W2000
• must run as administrator
• Win XP
• Professional - raw socket functionality restricted to administrator users
• same level of access as UNIX / Linux
– but first user created has administrator rights - if this is being used on a home
machine most users would be running as administrator all of the time leaving their
machine possibly open to being hijacked
• Home - will eventually become the predominant OS
• is not supposed to have raw sockets
• Internet Connection Firewall (ICF) attempt to fix problem
• but only blocks incoming traffic; all outgoing traffic permitted
• hacker can install a trojan horse that installs a zombie that just sits and waits to
become part of a DDoS attack on someone
Windows and Raw Sockets
• WinSock 2.0 allows windows programmers to build advanced
applications
• Firewalls
• Network Address Translation
• Packet Filtering
• SYN Flood protection
• Security
• IPSec support
• VPN Clients
• Network Administration
• Packet Sniffers/Analyzers
• Pathway Analyzers (ping and traceroute)
Possible Motives
• With a possible expansion of DDoS attacks
• could make TCP/IP look unstable and undesireable
• MS could be waiting in the wings with a replacement technology to
replace TCP/IP (Robert X. Cringely, author)
• proprietary (TCP/MS)
– bad for us; good for MS
Countering Raw Sockets Attacks
• Egress Filtering - verifying that all packets leaving a network are really
from that network
• at network edges/borders
• Locking Down Raw Sockets
• Raw Sockets Disabler and Socket Lock have been demonstrated to
disable raw sockets usage in host machines where they are installed
• IP v6
• IPv4 is susceptible to address spoofing, IPv6 is not