lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.64.0710181228320.12701@bizon.gios.gov.pl>
Date:	Thu, 18 Oct 2007 12:29:25 +0200 (CEST)
From:	Krzysztof Oledzki <olel@....pl>
To:	Stephen Hemminger <shemminger@...ux-foundation.org>
cc:	netdev@...r.kernel.org
Subject: Re: TCP port randomization



On Wed, 17 Oct 2007, Stephen Hemminger wrote:

> On Thu, 18 Oct 2007 00:31:13 +0200 (CEST)
> Krzysztof Oledzki <olel@....pl> wrote:
>
>>
>>
>> On Wed, 17 Oct 2007, Stephen Hemminger wrote:
>>
>>> On Wed, 17 Oct 2007 23:15:48 +0200 (CEST)
>>> Krzysztof Oledzki <olel@....pl> wrote:
>>>
>>>> Hello,
>>>>
>>>> Is it normal that TCP port randomization (tested with 2.6.22) works only
>>>> when explicitly binding to a IP address:
>>>>
>>>>
>>>> --- cut here ---
>>>> root@fw1:~# nc 192.168.129.28 11
>>>> (UNKNOWN) [192.168.129.28] 11 (systat) : Connection refused
>>>> root@fw1:~# nc 192.168.129.28 11
>>>> (UNKNOWN) [192.168.129.28] 11 (systat) : Connection refused
>>>> root@fw1:~# nc 192.168.129.28 11
>>>> (UNKNOWN) [192.168.129.28] 11 (systat) : Connection refused
>>>>
>>>> 23:11:11.896126 IP 192.168.129.2.37839 > 192.168.129.28.11: S
>>>> 23:11:12.146573 IP 192.168.129.2.37840 > 192.168.129.28.11: S
>>>> 23:11:12.396488 IP 192.168.129.2.37841 > 192.168.129.28.11: S
>>>> --- cut here ---
>>>>
>>>>
>>>> --- cut here ---
>>>> root@fw1:~# nc -s 192.168.129.2 192.168.129.28 11
>>>> (UNKNOWN) [192.168.129.28] 11 (systat) : Connection refused
>>>> root@fw1:~# nc -s 192.168.129.2 192.168.129.28 11
>>>> (UNKNOWN) [192.168.129.28] 11 (systat) : Connection refused
>>>> root@fw1:~# nc -s 192.168.129.2 192.168.129.28 11
>>>> (UNKNOWN) [192.168.129.28] 11 (systat) : Connection refused
>>>>
>>>> 23:11:31.704391 IP 192.168.129.2.57204 > 192.168.129.28.11: S
>>>> 23:11:34.400048 IP 192.168.129.2.14512 > 192.168.129.28.11: S
>>>> 23:11:34.606707 IP 192.168.129.2.20117 > 192.168.129.28.11: S
>>>> --- cut here ---
>>>>
>>>> Best regards,
>>>>
>>>>  				Krzysztof Olędzki
>>>
>>> It is a expected side effect.
>>
>> So it is not possible to use randomization without binding to a specific
>> srcip?
>>
>>> The starting point for the search
>>> is based on hash(srcaddr, dstaddr, dstport, secret).
>>> You are using same source, dest and port so yes it will stay
>>> the same until rekeying occurs.
>>> The secret only changes every 5min same as TCP initial sequence number.
>>
>> If I get it right, even with explicitly selected constant srcaddr port
>> numbers should simply increase? This is not what I observed.
>>
>>
> When you set srcaddr, it calls bind, and bind does randomization always
> independent of address.
>
> This existing behavior may seem odd, but it shouldn't present a security
> problem.

Right. Thank you very much for the explanation.

Best regards,
 				Krzysztof Olędzki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ