Microsoft's new Windows XP OS will include UNIX-like raw sockets, expanding on its current OSs. Winsock 2 already offers some raw socket functionality; however, Windows XP's new functionality would allow source IP address spoofing. Currently, Winsock overwrites a packet's source IP address with the system's true IP address before sending that packet to its destination.
Early versions of Windows let malicious users spoof IP addresses, but sometime during the evolution of Windows, Microsoft decided to remove such functionality. With the company's decision to reinstate the raw socket functionality in Windows XP, at least one person is now complaining loudly.
Steve Gibson, of Gibson Research, posted a document on the Gibson Web site alleging Windows XP's newfound raw socket functionality will prompt a whole new level of Distributed Denial of Service (DDoS) attacks. Gibson claims that because so many Windows users are novice computer users, intruders will use them as easy targets when launching DDoS attacks.
Microsoft posted a rebuttal on its Web site to point out that raw sockets and the ability to spoof IP addresses add little to the problem of DDoS attacks, saying that hostile code is the real problem. The company claims that if an intruder can install hostile code (e.g., DDoS Trojans) on a user's machine, nothing prevents the intruder from also installing a custom packet driver (capable of spoofing IP addresses) at the same time.
Microsoft seems to have a valid set of points. However, both Microsoft and Gibson apparently have overlooked the fact that installing Trojans on unsuspecting users' machines gives intruders the ability to obscure (spoof) their true IP addresses because they can send packets through a victimized third-party system. Microsoft also pointed out that other OSs have long since allowed IP address spoofing—VMS, Mac OS X, Linux, and various versions of UNIX. Microsoft thinks that if an explosion of DDoS were going to occur, it would have already happened on these other OSs. Recently, however, Gibson Research did suffer a massive DDoS attack against its network according to details posted on the company's Web site.