Dave,
Thanks for the prompt reply, much appreciated.
On Mon, Aug 15, 2005 at 01:25:10PM -0700, David S. Miller wrote:
> UDP does not have the same kind of vulnerability from port
> number guessing. In fact, UDP is extremely vulnerable for
Yes it does. Nameservers also need to send outgoing packets. The DNS
'keyspace' for response spoofing is a sad 16 bits, there are two bytes
available in the DNS packet. By randomising the source port, another 16 bits
are added to this keyspace.
More importantly, there is no good way to randomize the source port from
userspace, it will never be very robust. See below for sample horrible code.
> Another factor influencing this is the fact that most UDP usage is of the
> request/response type where the port identity only exists for those two
> packets.
Not if you are an nameserver doing outgoing questions, although you could
conceivably waste an fd per packet, but it would still have very predictable
source port numbers.
> I really don't think it's worth the work to add UDP port
> randomization at all.
I currently need to do ugly stuff like this to get somewhat random source
port numbers:
for(n=0; n<10; n++) {
sin.sin_port = htons(10000+(random()%50000));
if(bind(d_sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
break;
}
(.. error checking ..)
Which is not very robust. Getting a random source port on a busy server
might actually turn out to be a very expensive operation from userspace.
Or am I missing something?
Bert
--
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
