grsecurity forums


https://forums.grsecurity.net./

grsec 2.1.3 and tcp pid randomization

https://forums.grsecurity.net./viewtopic.php?f=3&t=1131

Page 1 of 1

grsec 2.1.3 and tcp pid randomization

PostPosted: Wed Mar 09, 2005 5:18 pm
by Abaddon
What has happend to tcp pid randomization? This option was usefull, is there any way to turn it on?

Re: grsec 2.1.3 and tcp pid randomization

PostPosted: Thu Mar 10, 2005 6:41 am
by onyx
Abaddon wrote:What has happend to tcp pid randomization? This option was usefull, is there any way to turn it on?


TCP randomisation is turned off, because the official 2.6.11 contains it already. If you connect to the same ip, tcp ports are not randomized, but if you connect to some other machine, you will see, that it's randomized.

PostPosted: Thu Mar 10, 2005 2:06 pm
by Abaddon
No, no no...

len=46 ip=xxx.xxx.xxx.xxx ttl=63 DF id=12600 sport=0 flags=RA seq=0 win=0 rtt=2.9 ms
len=46 ip=xxx.xxx.xxx.xxx ttl=63 DF id=12601 sport=0 flags=RA seq=1 win=0 rtt=2.2 ms
len=46 ip=xxx.xxx.xxx.xxx ttl=63 DF id=12602 sport=0 flags=RA seq=2 win=0 rtt=5.1 ms

PostPosted: Thu Mar 10, 2005 7:18 pm
by onyx
qouted from the grsec mailing-list:

> ? ? ? ? During testing of kernel 2.6.11 with grsecurity 2.1.2 and config
> option Security Level set to high, I have noticed that TCP source ports are
> no longer random. ?I have checked the kernel config and both
> CONFIG_GRKENSEC_RANDNET & CONFIG_GRKENSEC_RANDSRC are set to y.

A feature equal in aim to the random TCP source ports feature, but
different in implementation was added to 2.6.11. Repeated connections
to the same host and port over a given time interval will have an
incrementing source port. Connections to a different host or the same
host and a different port will have a "random" source port.

For more information on the new implementation in Linux and the reason
behind it, see:
http://www.ietf.org/internet-drafts/dra ... ion-00.txt

-Brad


Me, myself didn't try it, but I believe Brad.

PostPosted: Fri Mar 11, 2005 4:46 pm
by spender
The IP IDs do indeed increment for a specific host during a specific session. If you make another connection, you'll see that it doesn't increment where the other session left off. This is enough to prevent the bounced portscan attacks which relied on a global ip id counter.

-Brad
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/