From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Daniel Borkmann <dborkman@redhat.com>,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
kaber@trash.net
Subject: Re: [PATCH next v2] nf-nat: don't use per destination incrementing ports in nat random mode
Date: Fri, 20 Dec 2013 09:01:18 +0100 [thread overview]
Message-ID: <20131220080118.GA4234@localhost> (raw)
In-Reply-To: <20131220004822.GC32129@order.stressinduktion.org>
On Fri, Dec 20, 2013 at 01:48:22AM +0100, Hannes Frederic Sowa wrote:
> We currently use prandom_u32 for allocation of ports in tcp bind(0)
> and udp code. In case of plain SNAT we try to keep the ports as is or
> increment on collision.
>
> SNAT --random mode does use per-destination incrementing port
> allocation. As a recent paper pointed out that this mode of port
> allocation makes it possible an attacker to find the randomly
> allocated ports. So NF_NAT_RANGE_PROTO_RANDOM actually weakens the port
> randomization in regard to the attack in this paper.
>
> You can find details in this paper:
> <https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf>.
>
> The idea is to send burts of packets to a socket to overflow its receive
> queue and measure the latency to detect a possible retransmit when the
> port is found. Because of increasing ports to given destination and port
> further allocations can be predicted.
>
> So switch NF_NAT_RANGE_PROTO_RANDOM to prandom_u32, too.
I think that we should be a bit more conservative and add a new option
for this and document this new behaviour, so the user can select what
approach is better according to their needs.
There are protocols that rely on consecutive port allocation to work,
eg. RTP/RCTP, I'm afraid that this full randomization approach will
break them.
next prev parent reply other threads:[~2013-12-20 8:01 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-19 13:40 [PATCH] nf-nat: don't use per destination incrementing ports in nat random mode Hannes Frederic Sowa
2013-12-19 23:21 ` Daniel Borkmann
2013-12-20 0:48 ` [PATCH next v2] " Hannes Frederic Sowa
2013-12-20 8:01 ` Pablo Neira Ayuso [this message]
2013-12-20 21:40 ` [PATCH v2 -next] netfilter: don't use per-destination " Hannes Frederic Sowa
2013-12-21 12:17 ` Pablo Neira Ayuso
2013-12-21 12:26 ` Hannes Frederic Sowa
2013-12-21 12:27 ` Pablo Neira Ayuso
2013-12-21 16:25 ` Daniel Borkmann
2013-12-22 3:15 ` [PATCH iptables] iptables: snat: add randomize-full support Hannes Frederic Sowa
2014-01-03 23:43 ` Pablo Neira Ayuso
2014-01-03 22:52 ` [PATCH v2 -next] netfilter: don't use per-destination incrementing ports in nat random mode Pablo Neira Ayuso
2014-01-03 23:11 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131220080118.GA4234@localhost \
--to=pablo@netfilter.org \
--cc=dborkman@redhat.com \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).