Thread: Raw socket support in Winsock ?
View Single Post
  #4  
Old January 5th 10, 03:37 PM posted to microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.security_admin,microsoft.public.windowsxp.general,microsoft.public.security
John John - MVP[_2_]
external usenet poster
  
Posts: 1,637
Default Raw socket support in Winsock ?
karthikbalaguru wrote:
On Jan 5, 4:54 pm, Andrew McLaren wrote:
karthikbalaguru wrote:
I am eager to know the reasons for the raw socket
support in the Winsock interface during the initial
Windows XP release ?
http://msdn.microsoft.com/en-us/libr...48(VS.85).aspx

Thx for the link !

As per the link, the ability to send traffic over raw sockets
has been restricted in several ways in new Windows
releases after 'Windows XP with SP2' .

The reasons for the below changes w.r.t Raw Sockets
are not clearly mentioned in that link . Any ideas ?
1) TCP data cannot be sent over raw sockets.
But why ?

2) A call to the bind function with a raw socket is not allowed.
But why ? Any ideas ?

But, the below reason w.r.t raw socket & UDP datagram
support is clear -
3) UDP datagrams with an invalid source address cannot be sent
over raw sockets. The IP source address for any outgoing UDP
datagram must exist on a network interface or the datagram is
dropped. This change was made to limit the ability of malicious
code to create distributed denial-of-service attacks and limits the
ability to send spoofed packets (TCP/IP packets with a forged
source IP address).

It's all to do with security.

[quote]

Restricted traffic over raw sockets

Detailed description

A very small number of Windows applications make use of raw IP sockets,
which provide an industry-standard way for applications to create TCP/IP
packets with fewer integrity and security checks by the TCP/IP stack.
The Windows implementation of TCP/IP still supports receiving traffic on
raw IP sockets. However, the ability to send traffic over raw sockets
has been restricted in two ways:

* TCP data cannot be sent over raw sockets.

* UDP datagrams with invalid source addresses cannot be sent over raw
sockets. The IP source address for any outgoing UDP datagram must exist
on a network interface or the datagram is dropped.

Why is this change important? What threats does it help mitigate?

This change limits the ability of malicious code to create distributed
denial-of-service attacks and limits the ability to send spoofed
packets, which are TCP/IP packets with a forged source IP address.

[end quote]

http://technet.microsoft.com/en-us/l.../bb457156.aspx

John
Ads