On Sun, Aug 01, 1999 at 01:10:06AM +0200, Nergal wrote:
> Now let's recall another Linux feature. Many OSes (including Linux)
> assign to ID field of an outgoing IP datagram consecutive, increasing
> numbers (we forget about fragmentation here; irrelevant in this case). That
> enables anyone to determine the number of packets sent by host A: it's enough
> to ping it, note the value of ID field of received ICMP_REPLY packet, wait x
> seconds (or perform some other actions), then again ping host A. The
> difference between ID fields of received ICMP_REPLY packets is equal to (the
> number of packets sent by A in x second) +1. "Idle portscan" by antirez uses
> this technique.
Re,
i think that a consecutive IP id now can be considered
a weakness in IP stacks. Using it you today are able
at least to scan spoofed, to guess host traffic and
you can use it when you need to know if the target host
of your spoofed packet answered. Here is a patch for
linux 2.0.36, maybe it isn't SMP safe so don't use it
if your linux box have more than one CPU. Note: the name
of this patch are 'True random id', however this isn't
true, a better name is 'Truly random id'. There are
a lot of 'better possible patchs' to fix this problem, but
this patch is old and writed in 30 min. so i'm interested
in your comment about how to implement a better patch.
bye,
antirez
--
Salvatore Sanfilippo antirez_at_speedcom.it antirez_at_alicomitalia.it
ALICOM snc Tel: +39-0871-403522 Fax: +39-0871-41960 Web: www.alicom.com
try hping: http://www.kyuzz.org/antirez
FreeSilviaBaraldiniFreeSilviaBaraldiniFreeSilviaBaraldiniFreeSilviaBarald
diff -cr linux-2.0.36/Documentation/Configure.help linux-2.0.36-hack/Documentation/Configure.help
*** linux-2.0.36/Documentation/Configure.help Sun Nov 15 19:32:42 1998
--- linux-2.0.36-hack/Documentation/Configure.help Sun Dec 27 15:48:18 1998
***************
*** 1336,1341 ****
--- 1336,1349 ----
hence it is recommended that you say Y here unless you really know
what you're doing.
+ IP: True random id
+ CONFIG_ID_RAND
+ This supplies true random ip id field in order to prevent id abuse
+ in port scanning and in outgoing packets traffic guessing.
+ See http://www.geek-girl.com/bugtraq/1998_4/0609.html for more
+ informations on this topic.
+ Warning: 256 Kbytes needed.
+
IP: Allow large windows (not recommend if <16MB of memory)
CONFIG_SKB_LARGE
On high speed, long distance networks the performance limit on
diff -cr linux-2.0.36/net/ipv4/Config.in linux-2.0.36-hack/net/ipv4/Config.in
*** linux-2.0.36/net/ipv4/Config.in Thu Jun 4 00:17:50 1998
--- linux-2.0.36-hack/net/ipv4/Config.in Sun Dec 27 15:01:53 1998
***************
*** 47,50 ****
--- 47,51 ----
bool 'IP: Disable Path MTU Discovery (normally enabled)' CONFIG_NO_PATH_MTU_DISCOVERY
#bool 'IP: Disable NAGLE algorithm (normally enabled)' CONFIG_TCP_NAGLE_OFF
bool 'IP: Drop source routed frames' CONFIG_IP_NOSR
+ bool 'IP: True random id' CONFIG_ID_RAND
bool 'IP: Allow large windows (not recommended if <16Mb of memory)' CONFIG_SKB_LARGE
diff -cr linux-2.0.36/net/ipv4/ip_forward.c linux-2.0.36-hack/net/ipv4/ip_forward.c
*** linux-2.0.36/net/ipv4/ip_forward.c Thu Jun 4 00:17:50 1998
--- linux-2.0.36-hack/net/ipv4/ip_forward.c Sat Dec 26 21:47:15 1998
***************
*** 77,83 ****
--- 77,87 ----
iph->protocol = IPPROTO_IPIP;
iph->ihl = 5;
iph->tot_len = htons(skb->len + len); /* Anand, ernet */
+ #ifdef CONFIG_ID_RAND
+ iph->id = htons(getrandid());
+ #else
iph->id = htons(ip_id_count++);
+ #endif
ip_send_check(iph);
skb->dev = out;
diff -cr linux-2.0.36/net/ipv4/ip_output.c linux-2.0.36-hack/net/ipv4/ip_output.c
*** linux-2.0.36/net/ipv4/ip_output.c Thu Jun 4 00:17:50 1998
--- linux-2.0.36-hack/net/ipv4/ip_output.c Sun Dec 27 15:44:05 1998
***************
*** 30,35 ****
--- 30,36 ----
* Juan Jose Ciarlante: sk/skb source address rewriting
* Elena Apolinario Fdez de Sousa,:ipmr_forward never received multicast
* Juan-Mariano de Goyeneche traffic generated locally.
+ * Salvatore Sanfilippo : IP id random. <antirez_at_seclab.com>
*/
#include <asm/segment.h>
***************
*** 265,271 ****
--- 266,276 ----
return mac;
}
+ #ifdef CONFIG_ID_RAND
+ unsigned short getrandid(void);
+ #else
int ip_id_count = 0;
+ #endif
/*
* This routine builds the appropriate hardware/IP headers for
***************
*** 483,489 ****
--- 488,498 ----
add_to_send_queue(sk, skb);
/* fall through */
case 1:
+ #ifdef CONFIG_ID_RAND
+ iph->id = htons(getrandid());
+ #else
iph->id = htons(ip_id_count++);
+ #endif
}
skb->free = free;
***************
*** 751,757 ****
--- 760,770 ----
iph->ihl=5;
iph->tos=sk->ip_tos;
iph->tot_len = htons(length);
+ #ifdef CONFIG_ID_RAND
+ iph->id=htons(getrandid());
+ #else
iph->id=htons(ip_id_count++);
+ #endif
iph->frag_off = 0;
iph->ttl=sk->ip_ttl;
iph->protocol=type;
***************
*** 853,860 ****
/*
* Get an identifier
*/
!
id = htons(ip_id_count++);
/*
* Being outputting the bytes.
--- 866,877 ----
/*
* Get an identifier
*/
!
! #ifdef CONFIG_ID_RAND
! id = htons(getrandid());
! #else
id = htons(ip_id_count++);
+ #endif
/*
* Being outputting the bytes.
***************
*** 1209,1211 ****
--- 1226,1304 ----
#endif
}
+ #ifdef CONFIG_ID_RAND
+ unsigned int random(void)
+ {
+ static unsigned long seed=152L;
+ seed=seed*69069L+1;
+ return seed^jiffies;
+ }
+
+ #define BIT 16
+ #define M (1 << BIT)
+ #define N ((1 << BIT) - 1)
+ #define RANDOM (random() & N)
+
+ void swap(unsigned short *a, unsigned short *b)
+ {
+ unsigned short t;
+ t = *a;
+ *a = *b;
+ *b = t;
+ }
+
+ unsigned short getrandid(void)
+ {
+ static unsigned short vect1[M];
+ static unsigned short vect2[M];
+ static int status = 0;
+ static int c = 0;
+
+ if (status == 1)
+ {
+ if (c == N)
+ status = 2;
+
+ swap(&vect2[c], &vect2[RANDOM]);
+ c++; c&=N;
+ return vect1[c];
+ }
+
+ if (status == 2)
+ {
+ if (c == N)
+ status = 1;
+
+ swap(&vect1[c], &vect1[RANDOM]);
+ c++; c&=N;
+ return vect2[c];
+ }
+
+ if (status == 0) /* initial shuffling */
+ {
+ register int j;
+
+ for (j = 0; j < M; j++)
+ vect2[j] = vect1[j] = j;
+
+ for (j = 0; j < M; j++)
+ swap(&vect1[j], &vect1[RANDOM]);
+
+ status = 1;
+ printk(KERN_INFO "IP id true rand: initial shuffling completed\n");
+ }
+
+ if (status == 1)
+ {
+ if (c == N)
+ status = 2;
+
+ swap(&vect2[c], &vect2[RANDOM]);
+ c++; c&=N;
+ return vect1[c];
+ }
+
+ printk(KERN_WARNING "Warning, getrandid() status = %d\n", status);
+ return RANDOM;
+ }
+ #endif /* CONFIG_ID_RAND */
diff -cr linux-2.0.36/net/ipv4/raw.c linux-2.0.36-hack/net/ipv4/raw.c
*** linux-2.0.36/net/ipv4/raw.c Thu Jun 4 00:17:50 1998
--- linux-2.0.36-hack/net/ipv4/raw.c Sat Dec 26 21:56:37 1998
***************
*** 308,314 ****
--- 308,318 ----
* ip_build_xmit clean (well less messy).
*/
if (!iph->id)
+ #ifdef CONFIG_ID_RAND
+ iph->id = htons(getrandid());
+ #else
iph->id = htons(ip_id_count++);
+ #endif
iph->check=ip_fast_csum((unsigned char *)iph, iph->ihl);
}
}
diff -cr linux-2.0.36/net/ipv4/tcp_output.c linux-2.0.36-hack/net/ipv4/tcp_output.c
*** linux-2.0.36/net/ipv4/tcp_output.c Sun Nov 15 19:33:22 1998
--- linux-2.0.36-hack/net/ipv4/tcp_output.c Sat Dec 26 21:46:20 1998
***************
*** 523,529 ****
--- 523,534 ----
skb->localroute, sk->bound_device);
}
+ #ifdef CONFIG_ID_RAND
+ iph->id = htons(getrandid());
+ #else
iph->id = htons(ip_id_count++);
+ #endif
+
#ifndef CONFIG_NO_PATH_MTU_DISCOVERY
if (rt && ntohs(iph->tot_len) > rt->rt_mtu)
iph->frag_off &= ~htons(IP_DF);
diff -cr linux-2.0.36/net/netsyms.c linux-2.0.36-hack/net/netsyms.c
*** linux-2.0.36/net/netsyms.c Mon Jul 13 22:47:41 1998
--- linux-2.0.36-hack/net/netsyms.c Sat Dec 26 21:53:33 1998
***************
*** 107,113 ****
--- 107,115 ----
X(ip_rt_put),
X(arp_send),
X(arp_bind_cache),
+ #ifndef CONFIG_ID_RAND
X(ip_id_count),
+ #endif
X(ip_send_check),
X(ip_forward),
X(sysctl_ip_forward),
Received on Aug 06 1999
Intro
