| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Dec 2007 09:28:16 +0200 From: Amit Klein <amit.klein@...steer.com> To: bugtraq@...urityfocus.com Cc: Fernando Gont <fernando.gont@...il.com>, Amit Klein <amit.klein@...steer.com> Subject: Re: RE: TCP Port randomization paper Hi Fernando+BugTraq Please see my comments below. ... > > Well, I guess this is the point at which an engineering > decision is made. I mean, if one is concerned with traffic > analysis, then make TABLE_LENGTH as large as possible. e.g., > with only 2KB of memory, you could compartmentalize the port > sapce into 1024 sections. > > Even so, an attacker can poll a section, or several sections (forcing the target host to connect to different IP:port combinations), and thereby gain a good estimation of the traffic (assuming it is uniformly distributed across all sections). Now, that assumption doesn't always hold (e.g. if the host only connects to several dozen other hosts), but when it does hold, traffic can be measured. True - it is weaker than the global attack, but still... Alternatively, and assuming non-uniform (section-wise) traffic, the attacker can start with "scanning" the sections (e.g. connect to port 1 of the attacker's IP, watch for traffic, then connect to port 2, watch for traffic, etc.) - within few thousand iterations (assuming TABLE_LENGTH==1024), the section space will be almost completely covered. And the attacker will have a good idea of where (i.e. in which section(s)) the traffic is. Then the attacker only needs to monitor those sections. This assume that the traffic pattern is time-wise uniform, of course. -Amit
Powered by blists - more mailing lists