ok, looking at it this way, it would be easier for a rogue program, once installed on your machine, to build its own packet and fire it out. but you could always do this. it was just more difficult because you had to deal with building your own device driver first. of course, the key is 'once installed'. so from the outside, trying to get in, there is no difference. a port is either open or its not. raw or not raw makes no difference that way. you have to have something listening in order to exploit a weakness. unless of course it is some kind of bogus flaw in the stack implementation. my two cents worth. moose. On February 26, 2002 05:44 am, you wrote: > Hi, > > I did follow the Steve Gibson vs Microsoft vs detractors debate about IP > address spoofing but I don't see that to be much of a concern for my > personal security - I doubt that someone would want to expend the effort in > performing a DDOS attack on my poor, lowly 56K dialup connection (although > I might be a bit annoyed if my machine was to take part in an attack). What > I am worried about is an IP-address spoofed script-kiddie, using a PC while > mummy and daddy are out shopping, with a "point and click" hack program > that can access my machine without tripping a firewall. Of course, I could > just attempt to keep the machine trojan free but I thought I would try to > look at the problem from this approach. > > Perhaps I misunderstand how raw sockets work but the stack diagram that I > saw indicated that any application may use a raw socket via the kernel. > > App<-------------------------------a---->Kernel<----b---->network layer > (Raw socket approach - Path 1) > App<-------> TCP/IP stack--a---->Kernel<----b---->network layer (Typical > approach - Path 2) > > (From what I understand, any application may use either path in Windows XP) > > Therefore, is it not possible for an application to reside on your PC that > can communicate via it's own protocol using raw sockets? - as I said, I'm > thinking primarily of trojans and such like. My question to the firewall > people was where did their firewall protection fit in - was it at point a > (and did the firewall cover both routes) or point b in the diagram. I never > actually had an answer categorically stating that this is not an issue at > all for raw sockets and that it did not matter from those people so it > would be nice to hear that I do have the wrong end of the stick. > > Regards, > Dan > > > > > > (Embedded michael brown @MITVMA.MIT.EDU > image moved 27/02/2002 01:21 > to file: > pic14460.pcx) > > > > > > Please respond to pic microcontroller discussion list > > Sent by: pic microcontroller discussion list > > > To: PICLIST@MITVMA.MIT.EDU > cc: > Subject: Re: [OT]: XP/Firewalls/raw sockets > > Security Level:? Internal > > > Just a quick question about those in the know about Windoze raw sockets > > and > > > firewalls. I've asked several firewall suppliers (Tiny, etc) how their > > products cope with raw sockets, i.e. whether the firewall covers only the > > TCP/IP stack or whether they make some attempt to protect against raw > > socket accesses, too. None of them are forthcoming on this issue which > > only > > > leads me to think that they do not protect and that you are quite exposed > > on a raw socket system, in terms of trojans/spyware/etc even with such a > > firewall (ok, yes, you are exposed anyway as it is not difficult to send > > data out via browsers and such like but that is another issue). > > Raw sockets (on your pc) are not a threat to *your* computer. They are a > serious threat to the rest of the world. Unfortunately, most routers and > personal firewall systems don't seem to care if the source ip address is > believable. If ISP's would only implement some simple filtering, ip > address > spoofing would become allot less effective. MS demonstrated 0 > responsibility in addressing the issues that raw sockets present. In > distributed DOS attacks, there is no way to protect yourself from spoof > attacks and still remain on the internet. If you can't tell the "good > guys" > from the "bad guys" there's not much you can do to filter out the bad ones. > > > Anyone have any comments on this subject, preferably minus ones involving > > "switch to Linux/*nix" ;-)? > > I won't say it then. ;-) > > > Regards, > > Dan > > -- > http://www.piclist.com hint: PICList Posts must start with ONE topic: > [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads ---------------------------------------- Content-Type: application/octet-stream; charset="us-ascii"; name="pic14460.pcx" Content-Transfer-Encoding: base64 Content-Description: ---------------------------------------- -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads