<<< Date Index >>>     <<< Thread Index >>>

Re: RE: TCP Port randomization paper



Hi Fernando+BugTraq

Please see my comments below.

...
>
> Well, I guess this is the point at which an engineering
> decision is made. I mean, if one is concerned with traffic
> analysis, then make TABLE_LENGTH as large as possible. e.g.,
> with only 2KB of memory, you could compartmentalize the port
> sapce into 1024 sections.
>
>

Even so, an attacker can poll a section, or several sections (forcing the target host to connect to different IP:port combinations), and thereby gain a good estimation of the traffic (assuming it is uniformly distributed across all sections). Now, that assumption doesn't always hold (e.g. if the host only connects to several dozen other hosts), but when it does hold, traffic can be measured. True - it is weaker than the global attack, but still...

Alternatively, and assuming non-uniform (section-wise) traffic, the attacker can start with "scanning" the sections (e.g. connect to port 1 of the attacker's IP, watch for traffic, then connect to port 2, watch for traffic, etc.) - within few thousand iterations (assuming TABLE_LENGTH==1024), the section space will be almost completely covered. And the attacker will have a good idea of where (i.e. in which section(s)) the traffic is. Then the attacker only needs to monitor those sections. This assume that the traffic pattern is time-wise uniform, of course.

-Amit