[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: iph->id randomisation

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: Re: iph->id randomisation
From: fire fire <fire_(_at_)_topor_(_dot_)_net>
Date: Wed, 13 Jan 1999 14:20:31 +0200
Organization: ToporNET LTD
Reply-to: fire_(_at_)_topor_(_dot_)_net

[on the security-audit_(_at_)_ferret_(_dot_)_lmh_(_dot_)_ox_(_dot_)_ac_(_dot_)_uk]
[Subject of the thread:
[iph->id randomisation]

[wanna know, if the suggestion for attack, later in the letter, applies
REALLY]
[thanks!]

alan_(_at_)_lxorguk_(_dot_)_ukuu_(_dot_)_org_(_dot_)_uk said:
> If you want to implement and test and submit it do - Im sure it will be
> accepted if its done sanely - do remember ip_count is accessed concurrently
> by multiple processors so you need to pick a scheme without locking issues.
> 
> Something like an xor with a seperate cyclic generator maybe ?

openbsd flips between two non-intersecting periodically reseeded LCG 
PRNGs (what a mouthful), skipping a random 0-3 outputs between each 
use. The random seeds and skips are strong.

However, why not just output a random id each time? After all, this is 
more or less the logical equivalent of a host outputting huge amounts 
of IP packets and wrapping the id very quickly. Since randomness costs 
processing time, instead why not just use the low order bits of the 
high resolution clock?

Using a prng the way the openbsd does it, still appears to be 
vulnerable if I am correct with the following logic:

find an openbsd host which is presumed quiescent
probe the openbsd host for 20 ids
brute force the 32768 possible seeds (15 bit seed is used) and 
calculate the seed which produces the 20 ids in the right order within 
3 places of each other
modify hping to scan each port 4 times to ensure that the openbsd id 
is advanced beyond the next possible output
probe the openbsd host for the next id and compare to the expected 
sequence in the prng output with the known seed
when it all falls down due to a reseed, reprobe and brute force again.

Similarly for the traffic analysis (but less precise).

openbsd ip_randomid() is here:

ftp://ftp.geek-girl.com/pub/OpenBSD/src/sys/netinet/ip_id.c

Paul
[paul's e-mail: Paul Ashton <paul_(_at_)_argo_(_dot_)_demon_(_dot_)_co_(_dot_)_uk>]

Thank you,
-fire

Prev by Date: ${COPTS} ignored
Next by Date: uname -r fixed?
Previous by thread: Re: ${COPTS} ignored
Next by thread: uname -r fixed?
Index(es):
- Date
- Thread

Visit your host, monkey.org