Gibson is the president of Gibson Research Corporation, developer of the disk utility SpinRite and author of the free Windows security test Shields Up. His latest discovery came after his website was totally knocked off the internet for days at a time by a hacker who claimed to be 13 years old. Gibson’s efforts to recover from the hack attacks convinced him the internet sites of even the largest Fortune 500 companies are vulnerable to going dark in the same way.
And, he says, the situation will worsen if Windows XP is released the way it’s presently designed.
Gibson’s internet service provider, Verio, is connected to the internet backbone using industrial-strength, 100Mbit/s fibre-optic lines. His website, in turn, is connected to Verio by two T1 trunk lines. These lines provide a total of about 3Mbit/s of throughput in each direction.
Last month, his site became completely unresponsive to visits from users. The cause, as Gibson explains in a lengthy analysis, was a teenage hacker who had launched a massive DDoS (distributed denial of service) attack. After exchanging email with the hacker, Gibson found that “he was like a child pulling the legs off a spider to see what it would do”.
To orchestrate DDoS assaults, a hacker first installs “cable bots” on computers that have cable or other high-speed modems, but lack adequate firewalls against intrusion. These bots are then instructed to send massive amounts of data to a victim’s site. Gibson found that bots running on just 474 Windows PCs worldwide were enough to completely overwhelm his two T1 lines.
After 17 hours of agony, the initial attack was defeated because the “zombie” Windows 9x PCs were only able to send IP packets using valid IP addresses. A Verio engineer was finally able to filter out such packets before they clogged GRC’s T1 lines. The attacks later continued in various forms.
The danger, Gibson asserts, is that Windows XP will add the ability for any application to send packets bearing faked IP addresses. There’s no perfect way for a website to defend itself against such a flood, because you can’t distinguish the incoming hacker traffic from the ordinary customer traffic. Gibson is alarmed about XP’s new capability.
Microsoft security response centre manager Steve Lipner says the key issue is the ability of a hostile person to get a rogue program on your system. He says XP will be less, not more vulnerable to hackers who want to plant Trojan horses on Windows PCs.
He confirms Windows XP will have a new capability called Raw Sockets, an old internet spec that already exists in Windows 2000 and Unix machines. Raw Sockets can put out data packets with faked IP addresses. This was proved when Yahoo and other major sites were brought down by Unix zombies in highly publicised attacks in February 2000. But Unix servers usually have trained administrators, many of whom have taken steps to prevent a recurrence.
Most home users of Windows XP will have no security training, of course, so Lipner says two new features will make XP less vulnerable than any previous OS: a personal firewall and software restriction policies that allow people “to control what code from what sources you’ll allow to run on your machine”. He believes XP won’t make IP spoofing worse.
Gibson strongly disagrees and feels Raw Sockets should be removed from XP, or at least restricted to use only by system-level drivers, not applications.
Internet users have suffered huge financial losses from Microsoft’s decision to allow email messages to run as “trusted” code. This gave rise to fast-spreading viruses such as Melissa and I Love You.
Brian Livington’s latest book is Windows Me Secrets (IDG Books). Send tips to firstname.lastname@example.org.