Get ready for a whole new level of distributed denial of service (DDoS) attacks when Microsoft releases Windows XP this fall. That’s the prediction of security expert Steve Gibson in reaction to Microsoft’s improved TCP/IP implementation in Windows XP, specifically in regard to UNIX sockets. Gibson says that Microsoft has unknowingly been protecting us all these years with its poor TCP/IP implementation. However, the more complete TCP/IP stack in Windows XP Home Edition will allow inexperienced hackers known as “script kiddies” to make more sophisticated attacks on Web sites.
Interestingly enough, shortly after Gibson posted his message about the DDoS potential of Windows XP, his Web site, www.grc.com, which is best know for its Shields Up security tester, was hit by a DDoS attack. Gibson eventually discovered that the attack was initiated by a 13-year-old hacker and a couple of hacker friends who had compromised 474 Windows machines, the predecessors of Windows XP Home Edition, and then sent a flood of packets at Gibson’s site.
Anyone running UNIX has had the ability to conduct this sort of attack since practically the beginning of Internet. However, these UNIX machines can do considerably more damage because the TCP/IP software allows them to make more sophisticated and destructive attacks. If the hackers who brought down Gibson’s site had had UNIX, they would almost certainly have made use of more damaging TCP SYN packets sent to port 80 instead of the relatively harmless UDP and ICMP packets, which were all that the Windows machines used in the attack were able to generate (and which caused only a brief DDoS event that could be quickly filtered).
Alas, that is about to change. The new threat, according to Gibson, is that Windows 2000 Professional, Windows XP Professional (mostly limited to business users), and Windows XP Home Edition have fully implemented the UNIX TCP/IP tools that can make these more deadly attacks. If Windows XP is used to upgrade the vast majority of Windows 95/98 machines that currently dominate most home machines, and if many of those home users migrate to cable Internet or DSL, this threat will open up a Pandora’s box for hackers. In Gibson’s case, the hackers could have kept his site offline much longer than the few minutes it took to filter out the UDP and ICMP packets sent from the pre-XP Windows machines.
The key thing to know is that for the really disruptive DDoS, it doesn’t matter what OS the hacker is running. Because the unwitting host PCs a hacker compromises are actually causing the trouble; the OS that the home PCs are running is most important. The new problem is that unknowing home users, whose systems are used to initiate a DDoS attack, are going to have these more advanced TCP/IP tools when they upgrade to Windows XP Home Edition. That means that hackers will be able to use these tools to initiate far more disruptive DDoS attacks.
It’s ironic that this new threat is caused by Microsoft providing a better implementation of UNIX sockets and TCP/IP. The real danger here is that unlike UNIX and Linux, Windows machines generally have weaker security to begin with and can therefore be taken over more easily to facilitate a DDoS attack. And since Windows users make up the vast majority of those using cable Internet and DSL, they’re a prime target for hackers to manipulate.
If you’d like to know more about the attack on Gibson’s site and his carefully documented solution, see “The Strange Tale of the Denial of Service Attacks Against GRC.COM.” For Gibson’s critique of Windows XP, read “Why Windows XP will be the Denial of Service Exploitation Tool of Choice for Internet Hackers Everywhere.” For Microsoft’s response to this issue, read “Hostile Code, not the Windows XP Socket Implementation, is the Real Security Threat.”
The Locksmith’s take
A lot of people online have accused Mr. Gibson of being paranoid. However, paranoia is a good trait in security personnel. Being professionally paranoid myself, I’m afraid that I, too, foresee dire consequences if Microsoft fully implements TCP/IP sockets in Windows XP Home Edition. Individual hackers can afford many tools, or they can steal them, but to initiate a DDoS attack, they must depend on the tools available in poorly secured computers owned by people who don’t even realize that they are being used.
How do you feel about this issue?
Do you think Gibson’s prediction will pan out? We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.