Slashdot Mirror
TCP/MS, We'll Cure What Ails You
Cringely can string some words together from time to time, and this week's installment is a pretty good one. He's been reading a little too much Gibson (raw sockets have nothing to do with the spread of MSTD [?] 's), but overall, he's probably right. When the time is ripe, I think we'll see a move exactly like this.
While I can't help with 2-4, I wrote 2 things that help with #1. My web site offers to ability to Test Your E-mail Defenses by e-mailing you a harmless VBScript file. (It reads your registry, but doesn't change anything or send any info out.)
I also wrote Script Sentry which traps those VBS scripts (as well as DOC, XLS, SHS, SHB, REG, HTA, and more), shows you details as to what it would do if run, and lets you decide whether or not you really want to run it. So if a user opens up that new Love Letter they just got in the mail and sees a "This will change your registry" message, hopefully they will be scared/wise enough to cancel the action.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Slow down your shoveling boy... you might hurt yourself.
So exactly how can Microsoft's IPv6 stack be proprietary, when they don't own the routers, switches, et al? You see, if they change the format of the packets, then the router needs to accept the new format. Since CISCO should be setting up their IPv6 stuff to the agreed standard, that leaves Microsoft little choice.
Microsoft's network protocol implementations have always been fairly standard and able to interact with the world at large. I don't see that changing in the future.
As for IPv6, I don't see that really rolling out until XP covers much of the marketplace. XP (and the Server 2002 editions) should have native IPv6 support.
Stop spewing FUD. It isn't any more endearing than when Microsoft does it.
Natural != (nontoxic || beneficial)
-- ;-)
Kuro5hin.org: where the good times never end.
Look, raw sockets in windows are not the end of the world: they're available already, open source (http://netgroup-serv.polito.it/winpcap/), and you can run them as a non-privaleged user. In as much as MS have a concept of privaleged users.
Even if they weren't, there are SO MANY possible security exploits you can run using a small army of 0wn3d windows boxes. Including (but not limited to) just packeting the crap out of Steve "Bloody" Gibson's webserver. For instance, has anyone considered using something to script the IE network libraries (COM objects, I would imagine) in the background and launch a 'many millions of perfectly valid requests, complete with cookies and everything' attack?
How would you defend against that?
This whole raw socket thing has been blown out of all proportion. Can we please stop fretting and find a way of PREVENTING these big attacks from being spread. Or possible. Or something.
Dave >:(
I write a blog now, you should be afraid.
Someone needs to write some viruses that do the following things:
1) educates -- infects your computer and gives you
a multimedia presentation on flaws within "Hi! I'm Victor Virus!
I'm an Outlook Virus. How did I get in your machine?"
2) secures -- "Would you like me to install a Zone Management
package?"
3) explains alternatives -- "Did you know there are other alternatives
to Microsoft?"
4) Highlights Microsoft abuses...
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
There seems to be a lot of confusion about this.
Raw Sockets allow someone to send forged IP packets (spoofing) that appear to come from any IP address the sender chooses.
This makes filtering a DoS attack harder, because you can no longer filter the traffic by IP or domain.
So, right now the limited defense in the DDoS zombie attacks from Windoze is the fact that the IP packets have valid source addresses. These can be filtered at backbone or ISP provider routers.
If these attacks used spoofed IP packets, there would be no easy defense.
Netscape 4 requesting from IIS is markedly slower than you'd expect by looking at relative performance on Apache with NN and IE.
I'm not so sure about this. While experimenting with Squid's user agent logging facility to see who was running what browser on my network, I noticed that MS Internet Explorer actually claims to be "Mozilla 4.0" - go figure.
I can say for certain that Microsoft's support web site does not tolerate unknown browsers graciously at all - when confronted with Netscape 6.0 beta or a Squid anonymised user agent string, it got stuck on one page redirecting back to itself...
You know, I thought the same thing as she did in the past. I'd worked for large companies and I knew how incompatibilities cropped up and it was just from engineers being distanced from their customers.
..someone took it out) CR/LF instead of NL. ^Z as EOF. blah, blah. I wonder how many of these are deliberate?
Well, I was chatting with an ex-microsoft employee who had moved over to the white-side and he put things in perspective. Microsoft has strategic meetings where they sit around a table and say "how can we own this?"
That put a different light on all those subtle incompatibilities I had always had to deal with.
Backslash instead of slash in paths... / for options instead of - (remember switchchar?
"Cringely" and Dvorak keep saying, "No, seriously, shutdown the Internet and replace it with something secure."
They're missing the first law of complex systems. I can't remember the exact quote, but it goes something like:
All complex systems that work began as simple systems that worked.
You can't replace today's Internet, the result of decades of evolution, with something purpose-built from scratch to do as much. The attempt will suffer from the second-system effect, and just plain won't work.
It's easy for a columnist to ask for something drastic. Too easy. But it sells papers (or click-thrus, or whatever we're selling today).
Stupid job ads, weird spam, occasional insight at
I don't know about you guys (and gals), but last time I was at this tiny web site for a tiny computer manufacturer, I had the choice of Win98 SE, WinME, Win2K or Win2K with an upgrade to WinXP. That doesn't sound like manufacturers are limiting my choice of viable Microsoft operating systems to me.
People wouldn't be forced to participate, but if they remain anonymous, I might choose to block them. I certainly wouldn't accept file attachments from them. I know you hate this idea, but I think the Internet needs a fingerprint.
Hmm... And who would control this "fingerprint"? Our beloved government, who is trustworthy? A large computer corporation like, say, Microsoft? And how would something like this work internationally? Who is forcing you to accept attachments now? I run Win98, WinME, Win2K and WinXP all on different machines. Over the last week, I've been sent about 10 emails with both SirCam and Badtrans, and none of my machines are infected. Why? First off, I didn't open the attachments right away. Second, I tested the attachments by saving them and then scanning them first. This is not a difficult concept! If someone puts a big package in your mailbox at home, and it's ticking, do you just open it up if the return address says it's from someone you trust?
You can choose not to have a fingerprint, but then your ability to communicate with others may be limited -- a price many people may choose to pay.
This is endorsed by the same crowd that bitches about MS Passports?
If kids want to install an Internet game, the game's IP port would be registered and permitted to operate, hopefully by the parent.
Why can I not see this happening in the general population? The average users I know bitch about having to confirm Internet activity when Zone Alarm or other personal firewalls pop up and ask.
Programmers who ought to be familiar with Microsoft's plans have suggested that the real motive for raw socket support is for Microsoft to use Windows XP to exploit a bad situation, to deliberately make things worse.
Jesus, what a conspiracy theory. This guy gets paid for this?
Move along, Cringley. Common sense tells us that you're just spreading FUD. Meanwhile, I'll get modded down for criticizing you, I'm sure.
--SC
You read fiction? I write it! Lemme know what you th
You can already do this. You can trace email. You can block email from those you don't know. And this system won't work to block email worms because usually they come from people who you know.
Caller ID, like rdns mapping of incomming ip addresses (cumbersome) etc. You can do this sort of strategy on so many levels... Of course someone who says that Linux is safer than Windows on one hand and that raw sockets are dangerous evidently is simply paroting what he has read and not actually studied the matter. Has he heard of any sort of authentication service or tactic? That is what these are about and of course many people do block people without the proper credentials from access to their networks ;)
Raw sockets exist in Windows 2000, and I assume that it has a bit to do with the FreeBSD code in the TCP/IP stack... This code has helped to make Win 2k far more stable on a network than its predicessor, IMO. If they are such of a problem, why not acuse Linux or FreeBSD of the same problem...
He also states:
And what's with those file attachments, anyway? Replace mail clients and APIs with secure models. The new model will not run attachments as they do today. E-mail attachments should not have access to the e-mail client, APIs, etc. Attachments should not have access to the operating system by default. The user should approve the use of some APIs, like having to give permission before device drivers are updated.
This guy is out to lunch. It is simply sufficient to limit user privilages and require them to export the attatchments before they can be run.
The only e-mail activity on my PC should be initiated by me, personally. Nothing else should access my address book or send out messages without my express permission. Microsoft will of course reject the idea, mostly because it will fail the "increase market share litmus test." My answer is, "Microsoft, if you do not take responsibility for locking down your APIs, it will become obvious to the public and become a detriment to your market share."
Which Office XP does quite nicely. Of course SirCam bypasses these controls and sets up its own smtp server... YOu cannot get around it totally. I am no more a Microsoft fan than the next guy, but this buy is a bit over the top...
LedgerSMB: Open source Accounting/ERP
???!
So says gibson. Why does that make things easier? Have you ever set up a screening router? You can filter out whatever you want...
LedgerSMB: Open source Accounting/ERP
Gibson constantly plugs Zone Alarm, so it's not suprising that people who don't read carefully would think that Zone Alarm is a GRC product, not a Zone Labs product.
If Gibson wrote Zone Alarm, it'd look as ugly as hell, have lots of BIG and alternating fonts, but be less than 300k in size, written in ASM, and fast as hell.
Actually, I've heard that IPv6 is not popular because none of the current backbone equipment will switch it and no one wants to be responsible for conversion from v6 to legacy IP...
If MS's implementation is buggy/not compatible, then it probably won't work through any switches or routers, and they will have to change it. IPv6 does have some provisions for vendor specific fields, ala Kerberos, but that'll go over about as well as MS's TNF email format (read 'not at all'), esp. in such a wide open environment as the 'net.
After all, it's not called the INTERnet for nothing. However, I don't doubt that they will be able to push their proprietary extensions into corporate environments, but they really already have done that (SMB & MAPI).
The reality is that TCP/IP is really too low level for MS to worry about. There is no added value to controlling packets, only the payload, which is why they are pushing
Chris.
-- I don't have a cool sig.
Cringely makes a very astute observation: How did MS manage to avoid having all those VBS viruses tagged as MS Windows viruses or MS Outlook viruses instead of "email" viruses?
Laws affecting technology will always be bad until enough techies become lawyers.
AOL/TW own vast content holdings, which are at risk from file sharing. Now it's MP3s, but as broadband spreads, DivX files of movies will become a massive problem. It would be in AOLTW's interest if the anarchic design of the Internet was replaced by one which enforces accountability and traceability. And if the content industry push it hard enough, we may see laws mandating traceability in TCP/IP, preceded by a campaign in the AOLTW/Murdoch/Vivendi/Bertelsmann media about how child pornographers are using the Net with impunity and nobody can stop them.
Hasn't microsoft already brok^H^H^H^H embraced-and-extended TCP/IP lots of times before?
There was a time when Sun servers responded "slowly" to windows HTTP requests because microsoft changed the behavior of TCP slowstart, etc...
I'm sure there are other examples.
I used to respect this person but now I have to wonder what kind of technical background he has and if that background is backed up by ay sound reasoning ability. I remember watching conspiracy theory in the theaters (You know with Mel Gipson). That had some pretty crazy ideas but this is just nuts. At one point in this article he suggests that everyone loose his or her anonymity. Then at another point in the article he criticizes Microsoft for their supposed protocol, which will remove anonymity. This article seems more like a rant by a frustrated Windows user than an actual intelligent discussion on the security problems of Windows.
The two main points of this article are based on flawed assumptions.
1. Raw sockets in windoze is not the end of the world. *nix systems have them, even vxworks. A number of ISP's filter forged packets. If this type of spoofing is such a harm, it is trivial for ISPs to implement this. Cripling stack interfaces in OS'es is rediculous.
2. Passport will not authenticate every connection made on the net. Sorry, this is a pipe dream M$ sold you on somehow. And second, priority net traffic based on M$ passport is even more impossible.
Although most end-users are running a MS-based operating system, there is simply too much non-MS underlying internet infrastructure for such a radical change in protocol. TCP/IP is going to be around for a very long time.
Furthermore, how is it exactly that TCP/MS would prevent things like Code Red from happening? An application is vulnerable to stack overflow exploits because of the application code itself, not because of the protocol through which it receives data. Registering the ports that an application listens on won't help if the app contains a vulnerability.
Cringely goes on to suggest that all connections be traceable - well, that's fine, except that it doesn't solve the problem of people launching viruses from public terminals, or obtaining free trial dialup accounts using fictitious information. Digitally signing specific applicaitons with an Active-X control style GUID, and only granting access to validly signed applications might help, but I can't see developers embracing that idea. Even if they did, it only takes one compromised certificate to release any number of malicious programs.
And did Gibson actually write Zone Alarm? Cringely seems to think so, but it's marketed by Zone Labs, not GRC.COM. Anyone know for sure?
Strags
SOCK_RAW access permits applications to spoof source IP addresses, thus disguising the source of a DoS attack.
We could implement a secure user identity system precisely like telephone Caller ID. It would be essentially an Internet ID. All Internet transactions could be based on it. Anyone who sends me e-mail can be identified. Anything I send can be traced to me. People wouldn't be forced to participate, but if they remain anonymous, I might choose to block them. I certainly wouldn't accept file attachments from them.
You can already do this. You can trace email. You can block email from those you don't know. And this system won't work to block email worms because usually they come from people who you know.
Get with it, man!
Dancin Santa
--News Flash Y2K was a hoax.
--News Flash The internet is not going to be "shut down" by any stupid virus.
--Any half decent FW comes with its own proprietary TCP/IP stack... Yeah MS might think about changing over to something else.
--It is time for "technologists" to cut it out and stop trying to scare the Hell out of everyone with this MS is evil and the internet is falling shit.
--Bottom line if MS was as bad as WE all think it is it WOULD disappear. Truth is it isn't that horrible. For 90 minutes at a time it's a great gaming platform.
This
The deal is that w/out raw sockets, in order to send large ammounts of data, you have to send UDP packets with the data. When creating a datagram socket (i.e. for sending UDP packets), you don't have to get a succesful return from connect() prior to sending data. Thus you can just start sending huge packets.
But with stream socket (i.e. for sending TCP packets), you have to get a successful return from connect() before you can start sending data. Which means that before you can send any data to a server, you have to send a SYN packet, get a SYN-ACK packet back, and then send an ACK packet. Only then will connect() return with a success, and then you can start bombing away at the server with huge packets. But even then if you don't send them in a form that is recognizable by the application, the server will just issue a RST and close down the connection. For example, if your stream doesn't include HELO foobar, when you connect to an email server, the server will just disconnect.
Non-raw sockets make it easier to filter out attacks at the upstream provider because they are usually UDP packets which your web application does *not* need. So you just filter them and then you're done with it.
With raw sockets, it becomes *much* harder to filter upstream. WIth a raw socket, you can create a SYN packet from a random IP address to a web server on PORT 80. That SYN packet can be 9k long if you want it to be. And it will be to a port that you can't easily filter out . Basically, it makes the DDoS attack much easier and harder to prevent. The attack could come from any IP address , and it will be destined for your web server, which (presumably) you want to keep running. How do you filter out a packet destined to port 80 from possibly anywhere without also filtering out the legitimate connections?
Of course, even without raw sockets, you can still initiate a DDoS attack against a TCP port. If there were fewer script kiddies and more programers, it would not be that difficult to write a simple program that uses a stream socket, and DDoS's with a well formed HTTP POST that posts 18MB of data. If the DDoS kiddies were able to program, then that's what they'd do, and they wouldn't need raw sockets to accomplish it.
So while I agree that the addition of raw sockets really isn't that big of a deal, it seems to me that it's a little bit more complex than what I've seen so far.
$.02
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
This seems like a nice idea, but I'm not for it, and I'm not sure if it even feasible. An IP address is already like caller ID.
Lets say you were assigned this new unique ID. Who's responsible for ensuring the identity of the payload remains unaltered? The software maker? That sounds familiar! Today, when you send mail, your message might sit at several relays. Is it up to the mail server to implement tracking of this ID? Could you not simply make a mail server that ignored this precedent and spoofed whatever it wanted? This seems the same as someone getting a shell on a box and running some kind of custom relay meant for delivering spam mail anonymously.
I also can't imagine a business deciding to ignore mail based on the lack of this identification. If you have to favor security over a new customer, you have other problems.
The funny thing about this article is that a PC implementing his ideas for security could easily exist now, but the fact is Microsoft isnt going to do that. If they can't follow measures to implement good security now, why would they under this new system?
Personally, I hope the answer to all this DOS'ing does not involve me losing what anonymity I do have (which doesnt seem like much at this point anyway).
This is true, I have NO IDEA what Cringley is saying when he says that raw sockets allow for more viruses and such to be introduced to your system.
For the uninitiated...
Generally, when programming, you define a great many things when defining a socket, the layer of abstraction to tcp/ip defining a single connection.
SOCK_RAW is a bit less abstract, you define more of the data that is being used by hand rather than allowing for the socket code to do it for you. Generally the you use SOCK_STREAM of SOCK_DGRAM, which define TCP and UDP sockets, respectively. SOCK_RAW writes directly to IP, so you must encode many of the headers manually rather than automatically, as the other 2 would do, and then write them to this socket.
In other words, it has NOTHING to do with getting viruses! SOCK_RAW is just another socket, but you are writing to the IP protocol, rather than TCP or UDP (which sit on top of IP). It also has nothing to do with being DoS attacked. I have NO CLUE where he got that from.
Micro$oft (NASDAQ: M$FT) today realized that their new TCP/MS protocol will not function over the Internet's (mostly-non-M$) infrastructure. The TCP/MS protocol is designed to address some of the security issues involved with the industry-standard TCP/IP protocol. It allows for authentication and tracing, to allow large corporations to know who does what, when, where, and how.
Micro$oft is not held back by this issue, however. They are currently working on developing a solution called "MS-over-IP" which will allow TCP/MS packets to travel over non-M$-compliant IP networks. This will be available as a patch to the upcoming Windows XP, for approximately $300. Micro$oft also notes that if your ISP refuses to conform to the new TCP/MS standard, and you do not wish to spend $300, you may switch to their M$N Internet $ervice, which will support native TCP/MS connections.
Micro$oft did not return any calls to our reporters on this issue, and simply sent us an E-Mail saying: "All your packets are belong to us."
One of the reasons that IPv6 is not very popular is because the MS version is proprietary as hell. MS is waiting for the big switch to IPv6 so incompatabilities between Unix and NT/winME could show up. At the time when the first MS-IPv6 stack was written, ms arrogantly assumed NT would own %80 of the server market by the time IPv6 became standard.
With almost everything running on NT, MS could then easily convince IT managers to only run NT on all servers for full network compatibility. The good news is that Microsoft's server dream never came quite true. Unix is still king on the Internet and is surprising gaining marketshare. At only %35 of the server market, I believe the MS IPv6 will not be very standard even if the whole Internet switches to the standard IPv6. But due to the MS-IPv6 problem, IPv4 will never quite go away.
http://saveie6.com/
We already have a replacement for IP that does many of these things. It's already supported under Linux, and probably a couple of other OSs I don't know about.
It's called IPv6, and it has QOS, guarenteed delivery, traceablity, and a whole host of other goodies. C'mon, do you really thing Cisco would let MS take away their bread and butter? IPv6 has been in the works for years and was designed specifically to solve all of the issues he mentions. I guess he thinks that only MS is smart enough to develop a new protocol...
This whole article is a red herring, and Cringley's about a technically literate as a door knob.
-- I don't have a cool sig.
But Cringely's real point is that Microsoft is a very powerful company with a long history of turning its own technical shortcomings into market strengths. Microsoft's PR machine is incredibly effective - witness the FUD that kicks into high gear any time MS announces anything.
It's also instructional to remember a few Microsoft projects that didn't go off as planned. Ever wonder why journalists never bring up those failed efforts, or points to the millions of wasted dollars MS has spent over the years on vaporware?
Remember how Microsoft Bob was going to "personalize" the computing experience? Well, it failed not once, but twice!. Remember how Chrome was going to "revolutionize the industry," according to the drooling press?
Because Microsoft is the 800-lb. gorilla of the software world, even when they fail, they get the benefit of the doubt. It comes with the territory. Also, because the Microsoft culture is fantatical about continuous improvement, they have a long history of sucking hard at v1, sucking at v2, becoming fairly usable at v3, and taking over the market by v4 and beyond.
Microsoft has been doing this long enough to realize an opportunity when they see one. Cringely is reminding us that unlike all of you Slashdot readers out there, Microsoft is driven not by desire to build cool, useful technology, but by the desire to control marketshare. That's the be-all, end-all of their existence.
So whether Cringely is correct about raw sockets or the demise of TCP/IP doesn't really matter. Almost every company that has gone toe-to-toe against Microsoft in a market segment has failed because they continually underestimate and miscalculate Microsoft's strengths (IBM, Novell, Apple, WordPerfect, Lotus).
Microsoft has an overarching vision of the computer marketplace that is far more evolved than any of their competitors, with the possible exception of Sun.
Microsoft remains unconcerned with business ethics, is unafraid of censure by the government, and wouldn't hesitate to use the ubiquitous of their own flawed products as an excuse to move the foundation of the Internet to a proprietary framework.
Microsoft doesn't give a shit about the history of the Internet and the spirit in which it was created. They don't give a shit about letting everyone in.
If Microsoft believes they can make the Internet a proprietary environment that they can control, they will work relentlessly toward that end.
Read the EFF's Fair Use FAQ
I can see the part about TCP/MS as being a remote possibility, but the real problem with the theory is the part about Microsoft introducing something like raw sockets specifically to encourage abuses that they hope will subsequently be blamed only on hackers, UNIX, and TCP/IP itself.
This would seem to be an extremely risky strategy due to the high potential that it could backfire from a public perception point of view. My experience is that despite the fact that some people are apologetic toward Microsoft as Cringley points out, there is a steadily growing public perception of the weakness of Microsoft products.
Many Windows users that I know use it because they feel they have to, either for the applications they need, because their workplace demands it, or because they feel they are too non-technical to use an alternative like Linux (and believe me, many of them are). They are well aware of the instabilities and the susceptability to virii, and in fact many of the Windows users I know joke about it all the time even though they use Windows for various practical reasons.
I think at this point in time, if Windows XP doesn't live up to the MS hype about it being a more stable and robust platform, and ends up in fact being less robust, they run a significant risk of damaging their public perception; probably not fatally, but noticably none the less. Given the fact that a wholesale migration to TCP/MS, while possible, is far from a sure thing, this would seem to be a rather risky strategy.
No he's not saying viruses spread over raw sockets. He's saying that many viruses/worms like Code Red have the end effect of creating a denial of service attack; denial of service attacks are very difficult to block when the addresses of the packets are spoofed. He's saying that in the future, when 90%+ of the world is running Windows XP (and Windows 95/98/ME/2000 has been discontinued by Microsoft- ever try to get Windows 3.1 anymore?), and 90% of those people haven't used third party tools to secure their computers, there will be a continuous series of distributed denial of service attacks, and viruses like Code Red which will effectivly bring the Internet to a halt. (Most servers aren't running Microsoft OSes, but most of the clients are- the fact that Apache is the most used server is completly unimportant in this matter. Code Red isn't as bad as predicted because most people don't run Windows 2000, but XP unifies the server and consumer OSes so it'll be running on a very large number of computers, making these future problems several orders of magnitute worse.) The end result (as predicted by Cringly) is that Microsoft will extend and embrace TCP to get the Internet (which will be rendered useless by script kiddies and/or attacking foreign governments) working again.
Once implemented, if your web server doesn't speak MS/TCP then no one with Windows will be able to see your site. (And the only servers that will have bug free implementations of MS/TCP will be running a Microsoft OS.) Think that little ploy is hardly enough to overturn the Internet? Then why am I using IE right now? Their ploys have undone greater marketshares.
Someone said that Cisco is working on a way to prevent spoofed IPs at the router, if this is true, then this speculation is for naught. However, the fact that this is plausible should be a wake up call. Microsoft owns all of us. This is the straw that broke the camel's back, I'll resign before I install Windows XP. Microsoft's abuse of their monopoly is an affront to freedom. Live free, or die.
Quoted from Cringely:
If it were not for Microsoft's carefully worded user license agreement, which holds the company blameless for absolutely anything, they would probably have been awash in class action lawsuits by now.But can't sysadmins sue Microsloth for the gross negligence that consumes our bandwidth?
I know the license agreement that I made when I opened my Windows 2000 CD only affected my Windows 2000 desktop. It has *nothing* to do with the bandwidth - which I pay for - that this stupid [expletive deleted - Ed.] worm has consumed.
I'm not normally litigious, but Microsoft needs to clean up their act.
Anyone know a good class-action lawyer?
Fire and Meat. Yummy.
I didn't know Steve Gibson wrote Zone Alarm. When did this happen? What happened to Zone Labs?!
Yeah, right.
The bee in Gibson's bonnet (and therefore Cringely's, cuz we know where he gets his material) is IP source address spoofing. He thinks that Windows XP will somehow make this much easier.
He's right.
But it doesn't matter.
There are already several easy technical fixes to prevent source spoofing, and if Gibson and Cringely's phantasy comes true, they will all be deployed in various Internet routers in a matter of weeks. Some of them already are implemented in Cisco routers, but are not enabled by default. Long before things can come to sufficient head to justify Microsoft's appearance as an off-white knight to ostensibly save the day.
See also this article from Network Magazine.
IPv6 does not have any more support for QoS than IPv4 (except for the flow label, only useful with RSVP, which is very rarely deployed). I work for a software company that enables people to deliver QoS today on IPv4, and quite a few are happily doing so.
IPv6 does not have 'traceability' - there is an IETF RFC detailing how to have slowly changing IEEE identifiers (MAC addresses) so that your IPv6 address will not include a static ethernet card MAC address. No more traceable than IPv4, and better in some ways.
IPv6 has no more guaranteed delivery than IPv4 - both of them can use TCP to ensure delivery of packets, but IPv6 has no special features in this area.
IPv6 is all about larger address space, easier router/host configuration and auto-configuration, easier re-addressing, better mobile IP, reduced routing table sizes, simplified options processing, and simplified headers. Please read up on IPv6 at http://www.ipv6forum.com before making these misleading statements.
If these attacks used spoofed IP packets, there would be no easy defense.
Except for if every damn net admin would WAKE UP and SMELL THE COFFEE and IMPLEMENT EGRESS FILTERING or SOURCE ROUTE VERIFICATION or whatever your router calls it.
If you have a router built within the last 5 years, I can pretty much guarantee you it supports it. So turn it on already!
If every border router on the internet used it, we could stamp out IP address spoofing overnight. No magic about it. All the border router has to do is check that the source address of the packet is within the range of addresses that it 'owns'. If it isn't, drop it, and log the MAC address so that it can be traced.
Easy huh? Any router worth its salt can do it, so...
Please!?!? What does it take to convince you?
When *I* was a youngin, IBM could do no wrong with many decision makers. I swore I'd never have my head in my ass when I got into decision making positions.
Now I'm 42 and one step away from making the decisions. I can INFLUENCE them now, and due to that, we run Apache for our web servers, I've stopped any thought of IIS from being implemented, and run Linux where possible and NT reluctuntly in some applications....
So don't forget this stuff. Microsoft may gain that market share, but one day hopefully pointy-haired bosses will be a bit better educated and make better decisions and not get sucked in by marketing hype.
Oh, I can dream, I can dream...
When i worked at a Air Force base - and we had perfectly good Sun Sparc20's running as our servers (mail, dns, SQL, etc)...
.NET.. why should we think that they will stop there?
my boss told me that because we were upgrading to Windows 95.. that it was time to ditch all those servers and get Windows servers with Exchange, et al...
i asked him why should we get rid of our perfectly running servers which had given us no trouble at all just to move to Microsoft? "Because, we're getting in contractors now, and they only know Windows Nt 4.0."
Later on, it was then decided that instead of bases having their own servers and their own email systems, that now that we'd all moved to Exchange, that we'd all put our GALs together (Global Address List - the list that Outlook/Exchange VBScripts use as their distro lists to replicate themselves), then we'd really kick ass.. no more joe.blow@otherairforcebase.af.mil...
my reply was - um... LDAP servers? open Source? Hello? Anyone?
well, skip ahead to today - the US Air Force (and soon all of DoD) is going to be moving from its now Air Force-wide GAL (why we just pull the plug now during virus scares and why we were down for weeks during Melisa) to Active Directory.
back when i shut down all my Sun boxes.. i told my boss that this was just stupid.. why should we give up on what works just to buy what Microsoft is giving us? Their goal was not to give us good products, but to get us to buy their products... and things like Exchange, with its GAL, are just the first protocols that they are trying to hijack and take back on the internet... eventually, all the open ones would be overthrown by the new default MS proprietary ones that would ship someday with newer versions of Windows.
I thought it might end with email.. but i see that i'm wrong.. i agree with Cringley... its going to go all the way.. and we have no way to stop it..
MS will take over the internet.. they are already took over filesharing with SMB, they are taking over email with Exchange, they have taken over HTM L with Explorer, they are trying to take over java with
sigh.. oh well..
guns kill people like spoons make Rosie O'Donnell fat.