Re: RE: TCP Port randomization paper
Hi Fernando+BugTraq
Please see my comments below.
...
>
> Well, I guess this is the point at which an engineering
> decision is made. I mean, if one is concerned with traffic
> analysis, then make TABLE_LENGTH as large as possible. e.g.,
> with only 2KB of memory, you could compartmentalize the port
> sapce into 1024 sections.
>
>
Even so, an attacker can poll a section, or several sections (forcing
the target host to connect to different IP:port combinations), and
thereby gain a good estimation of the traffic (assuming it is uniformly
distributed across all sections). Now, that assumption doesn't always
hold (e.g. if the host only connects to several dozen other hosts), but
when it does hold, traffic can be measured. True - it is weaker than the
global attack, but still...
Alternatively, and assuming non-uniform (section-wise) traffic, the
attacker can start with "scanning" the sections (e.g. connect to port 1
of the attacker's IP, watch for traffic, then connect to port 2, watch
for traffic, etc.) - within few thousand iterations (assuming
TABLE_LENGTH==1024), the section space will be almost completely
covered. And the attacker will have a good idea of where (i.e. in which
section(s)) the traffic is. Then the attacker only needs to monitor
those sections. This assume that the traffic pattern is time-wise
uniform, of course.
-Amit