SP2 and raw sockets

According to security expert Dana Epp, Windows XP SP2 no longer supports “raw sockets”:

Ok, now this just sucks.

One of the ‘security additions’ added to XP SP2 is the fact that raw sockets are no longer available. Result? Tools like nmap no longer work in their current form.

The reason from Microsoft. ‘Only attack tools seem to use raw sockets’.

ARG!!!!!!!!!!!

So be forewarned. If you upgrade to SP2, you will lose access to nmap. Now I got a valid reason for keeping my other Linux box around 😉

In this white paper, Microsoft explains:

A very small number of Windows applications make use of raw IP sockets, which provide an industry-standard way for applications to create TCP/IP packets with fewer integrity and security checks by the TCP/IP stack. The Windows implementation of TCP/IP still supports receiving traffic on raw IP sockets. However, the ability to send traffic over raw sockets has been restricted in two ways:

• TCP data cannot be sent over raw sockets.
• UDP datagrams with invalid source addresses cannot be sent over raw sockets. The IP source address for any outgoing UDP datagram must exist on a network interface or the datagram is dropped.

Why is this change important? What threats does it help mitigate?

This change limits the ability of malicious code to create distributed denial-of-service attacks and limits the ability to send spoofed packets, which are TCP/IP packets with a forged source IP address.

Dana’s credentials are impeccable, and his complaint that SP2 breaks some legitimate security tools is an important one. At the risk of opening an old battle… Steve Gibson made a giant fuss over this topic in 2001, claiming that access to raw sockets is “clearly dangerous.” Not everyone agreed with Steve, and I haven’t heard much on the topic since that fuss died down three years ago.

In fact, even though this change was announced months ago and has been part of SP2 throughout its beta, we’ve heard very little about it. Funny.