lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <47677690.1010001@trusteer.com>
Date: Tue, 18 Dec 2007 09:28:16 +0200
From: Amit Klein <amit.klein@...steer.com>
To: bugtraq@...urityfocus.com
Cc: Fernando Gont <fernando.gont@...il.com>,
	Amit Klein <amit.klein@...steer.com>
Subject: Re: RE: TCP Port randomization paper

Hi Fernando+BugTraq

Please see my comments below.

...
 >
 > Well, I guess this is the point at which an engineering
 > decision is made. I mean, if one is concerned with traffic
 > analysis, then make TABLE_LENGTH as large as possible. e.g.,
 > with only 2KB of memory, you could compartmentalize the port
 > sapce into 1024 sections.
 >
 >

Even so, an attacker can poll a section, or several sections (forcing 
the target host to connect to different IP:port combinations), and 
thereby gain a good estimation of the traffic (assuming it is uniformly 
distributed across all sections). Now, that assumption doesn't always 
hold (e.g. if the host only connects to several dozen other hosts), but 
when it does hold, traffic can be measured. True - it is weaker than the 
global attack, but still...

Alternatively, and assuming non-uniform (section-wise) traffic, the 
attacker can start with "scanning" the sections (e.g. connect to port 1 
of the attacker's IP, watch for traffic, then connect to port 2, watch 
for traffic, etc.) - within few thousand iterations (assuming 
TABLE_LENGTH==1024), the section space will be almost completely 
covered. And the attacker will have a good idea of where (i.e. in which 
section(s)) the traffic is. Then the attacker only needs to monitor 
those sections. This assume that the traffic pattern is time-wise 
uniform, of course.

-Amit

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ