Raw Sockets

CS-480b
Dick Steflik
Raw Sockets
Raw Sockets
Raw Sockets let you program at just above the network (IP)
layer
You could program at the IP level using the IP API but you cant get
at ICMP
Raw Sockets expose ICMP
you get a Raw Packet and populate the entire packet yourself
for high level protocols like TCP and UDP you lose all of the
functionality implemented in those layers
choosing to use a Raw Socket must be weighed carefully
Raw Sockets can be dangerous
Raw Sockets can be against the law
http://www.kumite.com/rsnbrgr/rob/grcspoof/cnn/

Limitations
Loss of Reliability

No ports

Non Standard Communications

No automatic ICMP

No Raw TCP or UDP

Must have root (or administrator) privilege
When to use
When you need to control the IP header
applications like Ping and Traceroute
not all fields can be set using the IP APIs
Network Address Translation
Firewalls

When your application requires optimum network speed
one level above the Link Layer
if you need reliability, you must build it into your application

Windows and Raw Sockets
WinSock 2.0 - November 2001
raw sockets for NT and W2000
must run as administrator
Win XP
Professional - raw socket functionality restricted to administrator users
same level of access as UNIX / Linux
but first user created has administrator rights - if this is being used on a home
machine most users would be running as administrator all of the time leaving their
machine possibly open to being hijacked
Home - will eventually become the predominant OS
is not supposed to have raw sockets
Internet Connection Firewall (ICF) attempt to fix problem
but only blocks incoming traffic; all outgoing traffic permitted
hacker can install a trojan horse that installs a zombie that just sits and waits to
become part of a DDoS attack on someone
Windows and Raw Sockets
WinSock 2.0 allows windows programmers to build advanced
applications
Firewalls
Network Address Translation
Packet Filtering
SYN Flood protection
Security
IPSec support
VPN Clients
Network Administration
Packet Sniffers/Analyzers
Pathway Analyzers (ping and traceroute)

Possible Motives
With a possible expansion of DDoS attacks
could make TCP/IP look unstable and undesireable
MS could be waiting in the wings with a replacement technology to
replace TCP/IP (Robert X. Cringely, author)
proprietary (TCP/MS)
bad for us; good for MS
Countering Raw Sockets Attacks
Egress Filtering - verifying that all packets leaving a network are really
from that network
at network edges/borders
Locking Down Raw Sockets
Raw Sockets Disabler and Socket Lock have been demonstrated to
disable raw sockets usage in host machines where they are installed
IP v6
IPv4 is susceptible to address spoofing, IPv6 is not