lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 20 Dec 2013 09:01:18 +0100
From:	Pablo Neira Ayuso <pablo@...filter.org>
To:	Daniel Borkmann <dborkman@...hat.com>,
	netfilter-devel@...r.kernel.org, netdev@...r.kernel.org,
	kaber@...sh.net
Subject: Re: [PATCH next v2] nf-nat: don't use per destination incrementing
 ports in nat random mode

On Fri, Dec 20, 2013 at 01:48:22AM +0100, Hannes Frederic Sowa wrote:
> We currently use prandom_u32 for allocation of ports in tcp bind(0)
> and udp code. In case of plain SNAT we try to keep the ports as is or
> increment on collision.
> 
> SNAT --random mode does use per-destination incrementing port
> allocation. As a recent paper pointed out that this mode of port
> allocation makes it possible an attacker to find the randomly
> allocated ports. So NF_NAT_RANGE_PROTO_RANDOM actually weakens the port
> randomization in regard to the attack in this paper.
> 
> You can find details in this paper:
> <https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf>.
> 
> The idea is to send burts of packets to a socket to overflow its receive
> queue and measure the latency to detect a possible retransmit when the
> port is found. Because of increasing ports to given destination and port
> further allocations can be predicted.
> 
> So switch NF_NAT_RANGE_PROTO_RANDOM to prandom_u32, too.

I think that we should be a bit more conservative and add a new option
for this and document this new behaviour, so the user can select what
approach is better according to their needs.

There are protocols that rely on consecutive port allocation to work,
eg. RTP/RCTP, I'm afraid that this full randomization approach will
break them.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ