[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: iph->id randomisation
- To: tech_(_at_)_openbsd_(_dot_)_org
- Subject: Re: iph->id randomisation
- From: fire fire <fire_(_at_)_topor_(_dot_)_net>
- Date: Wed, 13 Jan 1999 14:20:31 +0200
- Organization: ToporNET LTD
- Reply-to: fire_(_at_)_topor_(_dot_)_net
[on the security-audit_(_at_)_ferret_(_dot_)_lmh_(_dot_)_ox_(_dot_)_ac_(_dot_)_uk]
[Subject of the thread:
[wanna know, if the suggestion for attack, later in the letter, applies
> If you want to implement and test and submit it do - Im sure it will be
> accepted if its done sanely - do remember ip_count is accessed concurrently
> by multiple processors so you need to pick a scheme without locking issues.
> Something like an xor with a seperate cyclic generator maybe ?
openbsd flips between two non-intersecting periodically reseeded LCG
PRNGs (what a mouthful), skipping a random 0-3 outputs between each
use. The random seeds and skips are strong.
However, why not just output a random id each time? After all, this is
more or less the logical equivalent of a host outputting huge amounts
of IP packets and wrapping the id very quickly. Since randomness costs
processing time, instead why not just use the low order bits of the
high resolution clock?
Using a prng the way the openbsd does it, still appears to be
vulnerable if I am correct with the following logic:
find an openbsd host which is presumed quiescent
probe the openbsd host for 20 ids
brute force the 32768 possible seeds (15 bit seed is used) and
calculate the seed which produces the 20 ids in the right order within
3 places of each other
modify hping to scan each port 4 times to ensure that the openbsd id
is advanced beyond the next possible output
probe the openbsd host for the next id and compare to the expected
sequence in the prng output with the known seed
when it all falls down due to a reseed, reprobe and brute force again.
Similarly for the traffic analysis (but less precise).
openbsd ip_randomid() is here:
[paul's e-mail: Paul Ashton <paul_(_at_)_argo_(_dot_)_demon_(_dot_)_co_(_dot_)_uk>]
Visit your host, monkey.org