Re: TCP port randomization

Thu, 18 Oct 2007 03:30:19 -0700 


On Wed, 17 Oct 2007, Stephen Hemminger wrote:


On Thu, 18 Oct 2007 00:31:13 +0200 (CEST)
Krzysztof Oledzki <[EMAIL PROTECTED]> wrote:




On Wed, 17 Oct 2007, Stephen Hemminger wrote:


On Wed, 17 Oct 2007 23:15:48 +0200 (CEST)
Krzysztof Oledzki <[EMAIL PROTECTED]> wrote:


Hello,

Is it normal that TCP port randomization (tested with 2.6.22) works only
when explicitly binding to a IP address:


--- cut here ---
[EMAIL PROTECTED]:~# nc 192.168.129.28 11
(UNKNOWN) [192.168.129.28] 11 (systat) : Connection refused
[EMAIL PROTECTED]:~# nc 192.168.129.28 11
(UNKNOWN) [192.168.129.28] 11 (systat) : Connection refused
[EMAIL PROTECTED]:~# nc 192.168.129.28 11
(UNKNOWN) [192.168.129.28] 11 (systat) : Connection refused

23:11:11.896126 IP 192.168.129.2.37839 > 192.168.129.28.11: S
23:11:12.146573 IP 192.168.129.2.37840 > 192.168.129.28.11: S
23:11:12.396488 IP 192.168.129.2.37841 > 192.168.129.28.11: S
--- cut here ---


--- cut here ---
[EMAIL PROTECTED]:~# nc -s 192.168.129.2 192.168.129.28 11
(UNKNOWN) [192.168.129.28] 11 (systat) : Connection refused
[EMAIL PROTECTED]:~# nc -s 192.168.129.2 192.168.129.28 11
(UNKNOWN) [192.168.129.28] 11 (systat) : Connection refused
[EMAIL PROTECTED]:~# nc -s 192.168.129.2 192.168.129.28 11
(UNKNOWN) [192.168.129.28] 11 (systat) : Connection refused

23:11:31.704391 IP 192.168.129.2.57204 > 192.168.129.28.11: S
23:11:34.400048 IP 192.168.129.2.14512 > 192.168.129.28.11: S
23:11:34.606707 IP 192.168.129.2.20117 > 192.168.129.28.11: S
--- cut here ---

Best regards,

                                Krzysztof Olędzki


It is a expected side effect.


So it is not possible to use randomization without binding to a specific
srcip?


The starting point for the search
is based on hash(srcaddr, dstaddr, dstport, secret).
You are using same source, dest and port so yes it will stay
the same until rekeying occurs.
The secret only changes every 5min same as TCP initial sequence number.


If I get it right, even with explicitly selected constant srcaddr port
numbers should simply increase? This is not what I observed.



When you set srcaddr, it calls bind, and bind does randomization always
independent of address.

This existing behavior may seem odd, but it shouldn't present a security
problem.


Right. Thank you very much for the explanation.

Best regards,
                                Krzysztof Olędzki





















					Reply via email to