1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
// SOCK_RAW Socket - Raw Packet Access Attack
//
// WHY SOCK_RAW IS DANGEROUS:
// Raw sockets allow a process to craft and send arbitrary network packets,
// bypassing the kernel's normal protocol processing. This gives direct
// access to the network at the IP layer or below.
//
// ATTACK CAPABILITIES:
// 1. IP spoofing - Send packets with forged source addresses
// 2. Protocol attacks - Craft malformed packets to exploit vulnerabilities
// 3. Network scanning - Send ICMP, TCP SYN without normal restrictions
// 4. Sniffing - Capture all packets on the network interface
// 5. ARP spoofing - Redirect network traffic
//
// SECURITY IMPLICATIONS:
// - Normally requires CAP_NET_RAW capability
// - Docker blocks raw sockets by default
// - Can be used to attack other containers on the same network
// - Enables network-level exploits from within sandbox
//
// EXAMPLES OF RAW SOCKET MISUSE:
// - Ping of Death attacks
// - SYN flood attacks
// - DNS amplification
// - ICMP tunneling for data exfiltration
//
// WHY THIS PAYLOAD:
// This payload attempts to create a SOCK_RAW socket. A secure sandbox
// must block this socket type via seccomp filtering.
//
// EXPECTED RESULT:
// Sandbox should kill the process with SIGSYS (signal 31) when
// socket(AF_INET, SOCK_RAW, ...) is called.
//
// REFERENCES:
// - https://man7.org/linux/man-pages/man7/raw.7.html
// - Docker seccomp: blocks SOCK_RAW by default
//
int