由于RAW Socket能够模拟任意的IP数据包,因此比较不安全。
1.XP SP2以上禁止模拟不同的IP地址发数据包的。如果你使用了一个没有绑定本机网卡的IP来发包,Sendto会报错。
微软官方说明是这样的:
Restricted traffic over raw sockets
Detailed description
A very small number of Windows applications make use of raw IP sockets, which provide an industry-standard way for applications to create TCP/IP packets with fewer integrity and security checks by the TCP/IP stack. The Windows implementation of TCP/IP still supports receiving traffic on raw IP sockets. However, the ability to send traffic over raw sockets has been restricted in two ways:
TCP data cannot be sent over raw sockets.
UDP datagrams with invalid source addresses cannot be sent over raw sockets. The IP source address for any outgoing UDP datagram must exist on a network interface or the datagram is dropped.
Why is this change important? What threats does it help mitigate?
This change limits the ability of malicious code to create distributed denial-of-service attacks and limits the ability to send spoofed packets, which are TCP/IP packets with a forged source IP address.
2. 但是,XP\2000\2003都支持模拟不同的IP数据包发送。利用这个原理,甚至可以开发出一个UDP Flood攻击。在一台老的服务器上,100M带宽,C++ 开发的,可以做到3万PPS,就是每秒钟3万个数据包,大概占了50M带宽。3. 这种方式是否能够模拟DDOS攻击,模拟TCP栈建立TCP 连接。本人没有测试过,有兴趣的同学可以自己尝试下。
