WINDOWS XP SP2修改了TCPIP.SYS,增加了对于RAW SOCKET的发送和伪造源地的限制,详情如下 :

1) 不能通过raw socket发送TCP报文。做此尝试时会得到10004号错误。

2) 不能通过raw socket发送伪造源IP的UDP报文。

3) 不能通过raw socket发送IP碎片。做此尝试时会得到10004号错误。知微软在哪次对2000 SP4的修补中实现了类似上述第三条的限制,只是要宽松一些:

3) 不能通过raw socket发送全部IP碎片,只有第一个碎片可被发送出去。试图发送后续碎片时会得到10004号错误。


What new functionality is added to this feature in Windows XP Service Pack 2?

Restricted traffic over raw sockets

Detailed description

A very small number of Windows applications make use of raw IP sockets, which provide an industry-standard way for applications to create TCP/IP packets with fewer integrity and security checks by the TCP/IP stack. The Windows implementation of TCP/IP still supports receiving traffic on raw IP sockets. However, the ability to send traffic over raw sockets has been restricted in two ways:

TCP data cannot be sent over raw sockets.

UDP datagrams with invalid source addresses cannot be sent over raw sockets. The IP source address for any outgoing UDP datagram must exist on a network interface or the datagram is dropped.

Why is this change important? What threats does it help mitigate?

This change limits the ability of malicious code to create distributed denial-of-service attacks and limits the ability to send spoofed packets, which are TCP/IP packets with a forged source IP address.