From owner-freebsd-security Thu Apr 12 12:58:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id E02BE37B423 for ; Thu, 12 Apr 2001 12:58:51 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBP3HK00.JTP; Thu, 12 Apr 2001 12:58:32 -0700 Message-ID: <3AD60902.D6134503@globalstar.com> Date: Thu, 12 Apr 2001 12:58:58 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Wes Peters Cc: Mike Silbersack , Rob Simmons , Mark T Roberts , freebsd-security@FreeBSD.ORG Subject: Re: non-random IP IDs References: <3AD5F274.547D0350@softweyr.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wes Peters wrote: > > Mike Silbersack wrote: > > > > On Thu, 12 Apr 2001, Rob Simmons wrote: > > > > > On Thu, 12 Apr 2001, Mike Silbersack wrote: > > > > > > > Each IP packet sent has with it a 16-bit ID. The numbers must remain > > > > unique over a short period of time so fragmentation can work properly. As > > > > such, everything except recent openbsds simple increments the id by 1 for > > > > each packet sent out. > > > > > > What is the behavior of OpenBSD for this? If its not important, why would > > > they change it? > > > > They generate pseudo-random, nonrepeating ids. For the actual algorithm, > > see: > > > > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_id.c?rev=1.2&content-type=text/x-cvsweb-markup&cvsroot=openbsd > > > > Although it's nice in theory, the amount of work required to generate the > > ids seems too great to justify for each packet sent. (Note that I said > > "seems", I'm not sure if anyone has done actual benchmarks to determine > > the actual impact.) > > Just like TCP sequence numbers, non-predictable IP IDs are *supposed to* > make it somewhat harder to insert bogus fragments into a packet stream. > If you are a router, this won't make a bit of difference in your ability > to frag a packet and stick whatever data you want into it; if you are > not a router your ability to see a fragmented packet go by and inject > other frags into it is almost non-existant anyhow, so I don't see much > value in this. It's mostly just in fitting with the OpenBSD "deny them > everything" approach. If you can see the stream, you can presumably read the IP ID on the actual packets and forge them without knowing the IP ID ahead of time. Using incrementing ones _maybe_ just buys the attacker a few microseconds of time since he has to analyze the stream anyway to inject data where he wants. There are much easier attacks when you can see the whole stream and inject packets. Actually, I think the vunlnerability most people think of first is doing stealthy port scans. For example, if you have a low volume host with one port open, you can access the port and read the IP ID. You can then spoof a packet to another port on the host. You never see the response, or lack thereof, to the spoofed scan. However, you hit the open port again and check the IP ID. If it has not incremented, the host or a firewall in between probably dropped the scan packet. If the IP ID has incremented, the host likely generated a response (either a SYN-ACK, RST, ICMP unreach, etc.) which went off to the spoofed address. Depending on what kind of scan you are spoofing, you can make a pretty good guess at what a response or lack of a response implies about the port's status. The attacker hides his activity by doing something not at all hostile looking (e.g. HTTP requests) as he does the scan. Of course if this is a _really_ low traffic host, the administrator of the box might note that the HTTP access corresponded to these scans coming from another host (if no one is looking at the logs for scans in the first place, why bother being stealthy). But in the case where the firewall administrator and the HTTP daemon administrator are different people, or perhaps even when the HTTP host is not busy, but the firewall is, this activity might be better obfuscated. But yes, the question of whether the effort, the complexity added to the kernel, and the CPU cycles needed for randomization are worth the reduced risk of attack, IMHO, does not have a clear cut answer. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message