RE: TCP Port randomization paper

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: TCP Port randomization paper
From: Amit Klein <amit.klein@xxxxxxxxxxxx>
Date: Tue, 11 Dec 2007 15:56:31 +0200
Cc: fernando.gont@xxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 2.0.0.9 (Windows/20071031)

Hi Fernando+list

I'm glad to see that someone takes aim at this issue.

However, it seems that your proposal only attempts to address oneconsequence of predictable TCP source ports, namely blind TCP attacks(in all fairness, it appears that the object of your proposal is tosolve the blind TCP attacks, rather than the issue of predictable TCPsource ports; I look at it the other way around...). Naturally this is amajor outcome, but there are still other consequences, perhaps lesssevere, such as traffic analysis. For example, the naïve (and asexplained in your draft, flawed) algorithm in Fig. 1 of your IETF draftadvances next_ephemeral globally. Therefore, if the attacker can forcethe target host to periodically establish a new TCP connection to anattacker controlled machine (or through an attacker observable routingpath), the attacker can subtract consecutive source port values toobtain the number of outoing TCP connections established globally by thetarget host within that time period (up to wrap-around issues and5-tuple collisions, of course).

However, note that algorithm #3 in your proposal is also susceptible tothe same technique.

Algorithm #4 is affected as well, to some degree. The "table" arraycompartmentalize the space into TABLE_LENGTH sections. An attacker canperform traffic analysis for any section into which the attacker has"visibility", namely that the attacker can force the server to establishconnection whose G(offset) points to this section. The attacker haslittle control over to which section exactly the host will map theattacker's traffic, but once there, the attacker can monitor trafficvolumes (new outgoing TCP connections) for this arbitrary section.

Again, I don’t know if this is in scope for your draft, but I do believethat looking at the generic problem here, this should be a factor.


Thanks, and good luck,
-Amit



> -----Original Message-----
> From: Fernando Gont [mailto:fernando.gont@xxxxxxxxx]
> Sent: Friday, December 07, 2007 02:45
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: TCP Port randomization paper
>
> Folks,
>
> We have published a revision of our port randomization paper.
> This is the first revision of the document since it was accepted as a
> working group item of the tsvwg working group of the IETF (Internet
> Engineering Task Force). Any feedback on the proposed/described
> algorithms will be welcome.
>
> The document is available at:
> http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-port-rand
> omization-00.txt
>
> Additionally, it is available in other fancy formats (PDF and HTML)
> at: http://www.gont.com.ar/drafts/port-randomization/index.html
>
> Thanks,
>
> --
> Fernando Gont
> e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxx PGP
> Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
>
>

Prev by Date: [ MDKSA-2007:242 ] - Updated e2fsprogs packages fix vulnerability
Next by Date: [ MDKSA-2007:243 ] - Updated MySQL packages fix multiple vulnerabilities
Previous by thread: TCP Port randomization paper
Next by thread: Re: TCP Port randomization paper
Index(es):
- Date
- Thread