A Raw Socket is simply a reference to the capability of a computer program to directly access the communications aspect of computer hardware. Normally, a program must interface with a mediator program called an Application Programming Interface (API) to send and receive data from the computers hardware. This ensures data integrity and reduces the chance of error.
This power can be understood by looking at how a mailing system works. In a business environment, most letters and mailers are sent out on company letterhead in a prestamped envelope. This increases productivity and reduces the risk of addressing errors. In addition, it legitimizes the message. This is because any message on company letterhead is assumed to be the real deal. The same applies to the normal way data is sent from one computer to another. By using an API, a program must use the prepackaged digital envelopes to pass data on to the Internet. This makes the API responsible for ensuring that the required information, such as the destination and return address, are present in each packet.
Raw Sockets, on the other hand, allows a computer program to directly access all aspects of the data in the packet. In other words, this would be the same as using a custom stamp to create company letterhead on-the-fly. Although this power would allow the sender to have more control over what information is stamped on the envelope, such as the return address, it also would increase the potential risk of error. Likewise, Raw Sockets allows its users to customize various aspects of a data packet, which increases the chance of error, be it accidental or intentional. For example, Raw Sockets gives a hacker the ability to create a packet with a fake return address.
One of the most prevalent threats Raw Sockets helps to facilitate is the infamous SYN DoS attack. Typically, a client computer initiates a conversation with another computer by sending it a packet with a SYN (Synchronous Idle Character) flag set. This tells the host computer that someone is about to send data, to which it replies with a SYN ACK (Acknowledge) packet. The client computer receives the SYN ACK packet, which tells it that the host exists and that the host is ready to receive data. The client sends one final ACK packet, informing the host computer that is received the SYN ACK, and that it is about to send data
If a hacker had the ability to forge a packets information, he or she could create a SYN packet with a fake, or spoofed, return address. In this case, the host computer would receive the SYN packet from the client computer (hacker), read the return address, and send the SYN-ACK packet to a fake return address. If there were no computer at the spoofed address, the host computer would sit and wait for several minutes before realizing that no one was connecting to it. However, during that time, the host computer would have a port open, waiting for a returning ACK. Because there are only so many ports available for connecting client computers, a hacker could quickly use up all of the host computers resources
This is the threat that Steve Gibson fears from the release of Raw Sockets in Windows XP/.NET. Ironically, soon after the release of his warning, his Web site was attacked and forced offline by another type of DoS attack that did not use any form of Raw Sockets.