Linux.com
Everything Linux and Open Source
Socket man: Steve Gibson's DDoS attacks
By: JT Smith
Cyberpunk -
I dig Steve Gibson. Not only is this renegade computer security consultant a great storyteller, but he's one of the best Net advocates out there, a regular Abbie Hoffman of the binary age. Still, his latest crusade has me wondering if he isn't starting to value Microsoft-bashing over basic honesty.
On May 4, the Web site for Gibson's company, Gibson Research Corp., suddenly dropped off the Internet. It was being subjected to a distributed denial of service (DDoS) attack -- the same kind that temporarily crippled Yahoo! and CNN.com early last year -- in which a site's server is crushed by a huge number of phony requests coming from all over the Net. Fortunately for GRC, this kind of attack can easily be thwarted with a bit of smarts. Gibson knew that all his service provider had to do was have its routers read the packet headers of the phony requests to identify the return addresses, then filter out everything arriving with those addresses. Once he got the right engineer on the phone, GRC.com was back in business.
Gibson didn't stop there, though. Examining the packets, he found that his site had been bombed by 474 computers, all running Windows, and all unwitting slaves to a remotely installed "zombie" program, unbeknownst to the PCs' owners. GRC.com suffered from five more attacks that month, and Gibson eventually tracked down the vandal (by getting a copy of the zombie program from one of the folks whose computer had been enslaved).
Gibson wrote up his adventures in the adolescent-hacker underground in an essay, The Strange Tale of Denial of Service Attacks Against GRC.Com. It's one of those irresistible, take-an-afternoon-off-to-read essays on computer culture that appear on the Web from time to time, in the same league as Eric Raymond's The Cathedral and the Bazaar, Neal Stephenson's In the Beginning There Was the Command Line, the Son of Gomez's The Xenix Chainsaw Massacre, and the anonymously penned cyberpunk-goes-to-Oz parody The Guru of News .
But if Gibson initially shared his ordeal for entertainment's sake, he has since directed his energies into a tirade against Microsoft's new operating system, Windows XP, which won't even be out until the fall. In a subsequent essay, Why Windows XP will be the Denial of Service Exploitation Tool of Choice for Internet Hackers Everywhere, Gibson asserts that once XP hits the streets, it'll be even easier for hackers to wreak serious havoc.
"Windows XP is the malicious hacker's dream come true," Gibson writes. He was only able to tell where his attacks were coming from because, with current Windows systems, it is impossible to forge a computer's Internet address, making it easy to filter out packets with those addresses. XP, however, will come with "raw sockets" support, which can be used to forge phony Internet addresses. Once XP is in widespread use, Gibson predicts, the zombie programs hackers plant via the Internet -- the kind that attacked his company -- won't be as easily identified, and thus will be nearly impossible to filter out. Without that filtering capability, the victim site can't start heading off the attacks as they're occurring; it's out of commission for the duration of the bombardment.
Or so Gibson argues. Microsoft itself posted a rebuttal, pointing out a few pretty good reasons why XP may not be the risk Gibson claims ("Hostile Code, Not the Windows XP Socket Implementation, Is the Real Security Threat". For one, if hackers really want Internet-address-spoofing machines, they don't have to wait for XP; Unix and Linux and the new Mac OS X already offer such raw-socket capability. Gibson counters that the sheer number of XP machines that will be out there (with, perhaps more importantly, their non-security-savvy owners) will provide far more firepower for hackers. Gibson is correct and Microsoft is indeed offering a bit of a red herring, but Microsoft also rebuts that XP machines will have far stronger security features than earlier versions of Windows. XP will be better equipped for broadband use, meaning it will be harder for hackers to break into. Well, maybe. But then Gibson goes and shoots himself in the foot anyway by admitting that DDoS packets can be filtered after all, namely by using egress filtering, a procedure that has actually been recommended in at least two Internet RFCs, a feature that Cisco offers on its routers and that Gibson himself wrote software to do!
Like I said, Gibson has educated a lot of users about the dangers of cyberspace. His Web site offers the popular free service Shield's UP, a test that checks broadband-connected computers to see how vulnerable they are to intrusion. Many Windows users were first alerted to the dangers of broadband when they saw their machines' profiles staring back at them after taking this test. And Gibson's exposure of how Real Networks implanted spy software onto copies of its free-downloading program alerted many that their privacy was being compromised. Gibson also was the one to look behind EarthLink's suspicious-looking (though ultimately innocuous) custom browser tokens.
Still, as Microsoft-bashing has turned into a favorite sport of journalists everywhere, from ZD Net to Slashdot, it's a bit disheartening to see Gibson needlessly indulge in it as well, however entertaining the story that prompted his fulminating.
As for Microsoft, well, let's just hope XP will be as secure as the company claims.