June 20, 2001

Socket man: Steve Gibson's DDoS attacks

Author: JT Smith

- By Joab Jackson -

Cyberpunk -

I dig Steve Gibson. Not only is this renegade computer security
consultant a great storyteller, but he's one of the best Net advocates out there, a
regular Abbie Hoffman of the binary age. Still, his latest crusade has
me wondering if he isn't starting to value Microsoft-bashing over basic
honesty.Here's the story in case you haven't been following it:

On May 4,
the Web site for Gibson's company, Gibson
Research Corp.
, suddenly dropped off the Internet. It was being
subjected to a distributed denial of service (DDoS) attack -- the same
kind that temporarily crippled Yahoo! and CNN.com early last year -- in which a site's server is crushed by a
huge number of phony requests coming from all over the Net. Fortunately
for GRC, this kind of attack can easily be thwarted with a bit of
smarts. Gibson knew that all his service provider had to do was have its
routers read the packet headers of the phony requests to identify the return
addresses, then filter out everything arriving with those addresses.
Once he got the right engineer on the phone, GRC.com was back in business.

Gibson didn't stop there, though. Examining the packets, he found that
his site had been bombed by 474 computers, all running Windows, and all
unwitting slaves to a remotely installed "zombie" program, unbeknownst
to the PCs' owners. GRC.com suffered from five more attacks that month,
and Gibson eventually tracked down the vandal (by getting a copy of the
zombie program from one of the folks whose computer had been enslaved).

Gibson wrote up his adventures in the adolescent-hacker underground in
an essay, The Strange Tale
of Denial of Service Attacks Against GRC.Com
. It's one of those
irresistible, take-an-afternoon-off-to-read essays on computer culture
that appear on the Web from time to time, in the same league as Eric
Raymond's The Cathedral and the Bazaar, Neal Stephenson's In the
There Was the Command Line
, the Son of Gomez's The
Xenix Chainsaw Massacre
, and the anonymously penned
cyberpunk-goes-to-Oz parody The Guru of News .

But if Gibson initially shared his ordeal for entertainment's sake, he
has since directed his energies into a tirade against Microsoft's new
operating system, Windows XP, which won't even be out until the fall.
In a subsequent essay, Why Windows
XP will be the Denial of Service Exploitation Tool of Choice for Internet
Hackers Everywhere
, Gibson asserts that once XP
hits the streets, it'll be even easier for hackers to wreak serious

"Windows XP is the malicious hacker's dream come true," Gibson writes.
He was only able to tell where his attacks were coming from because, with
current Windows systems, it is impossible to forge a computer's
Internet address, making it easy to filter out packets with those addresses. XP,
however, will come with "raw sockets" support, which can be used to
forge phony Internet addresses. Once XP is in widespread use, Gibson
predicts, the zombie programs hackers plant via the Internet -- the kind that
attacked his company -- won't be as easily identified, and thus will be nearly
impossible to filter out. Without that filtering capability, the victim
site can't start heading off the attacks as they're occurring; it's out
of commission for the duration of the bombardment.

Or so Gibson argues. Microsoft itself posted a rebuttal,
pointing out a few pretty good reasons why XP may not be the risk Gibson claims
("Hostile Code, Not the Windows XP Socket Implementation, Is the Real Security
. For one, if hackers really want Internet-address-spoofing
machines, they don't have to wait for XP; Unix and Linux and the new
Mac OS X already offer such raw-socket capability. Gibson counters that the
sheer number of XP machines that will be out there (with, perhaps more
importantly, their non-security-savvy owners) will provide far more
firepower for hackers. Gibson is correct and Microsoft is indeed
offering a bit of a red herring, but Microsoft also rebuts that XP machines will
have far stronger security features than earlier versions of Windows.
XP will be better equipped for broadband use, meaning it will be harder
for hackers to break into. Well, maybe. But then Gibson goes and shoots
himself in the foot anyway by admitting that DDoS packets can be
filtered after all, namely by using egress filtering, a
procedure that has actually been recommended in at least two Internet RFCs, a
feature that Cisco offers on its routers and that Gibson himself wrote
software to do!

Like I said, Gibson has educated a lot of users about the dangers of
cyberspace. His Web site offers the popular free service Shield's UP, a test that
checks broadband-connected computers to see how vulnerable they are to
intrusion. Many Windows users were first alerted to the dangers of
broadband when they saw their machines' profiles staring back at them
after taking this test. And Gibson's exposure of how Real Networks
implanted spy software onto copies
of its free-downloading program alerted many that their privacy was being
compromised. Gibson also was the one to look behind EarthLink's
suspicious-looking (though ultimately innocuous) custom browser tokens.

Still, as Microsoft-bashing has turned into a favorite sport of
journalists everywhere, from ZD Net to Slashdot, it's a bit
disheartening to see Gibson needlessly indulge in it as well, however entertaining
the story that prompted his fulminating.

As for Microsoft, well, let's just hope XP will be as secure as the
company claims.


  • Linux
Click Here!