Thoughts on How to Mount an Attack on tcpdpriv's ``-A50'' Option...

Abstract:

tcpdpriv(1) provides a mechanism for outputting randomized IP addresses (using the -A50 option). By so doing, the amount of information encoded in the outputted IP addresses is larger than the amount of information encoded in the options that output IP addresses as sequential numbers (but, less than the amount of information encoded in the -A99 option that causes the IP addresses on the output side to be the same as those on the input side). This document discusses an approach that might be used to crack an output file which has been encoded with the -A50 option.

Acknowledgement and DISCLAIMER

The following is primarily the work of Tatu Ylonen <ylo@ssh.fi>, and is provided here with the following:

DISCLAIMER: THIS INFORMATION IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL TATU YLONEN BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS INFORMATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Overview

The coding produced by the -A50 option is good enough to keep Joe Random Hacker out, but not necessarily good enough to keep governments or well-informed experts from determining where the data was taken from. Note that once you have accurately located a single machine, you know quite accurately the addresses of other machines on the local network. You can also make guesses like ``I bet the external gateway (which you can easily recognize from traffic patterns, as well as from having e.g. cisco's hardware ethernet address) has either address .1 or .254'', etc., and guess quite a bit of the remaining information. Also, it is quite common to have the name server at .1.

The Attack

Suppose you wanted to mount a large-scale attack on IP addresses randommized with the -A50 option. You can fairly easily

When you start analyzing privatized data, I would guess you can fairly easily

Also, you can quite easily identify

You get starting points for randomized IP to real IP mapping from e.g.

Summary

Whether this is a problem depends on your threat model. If you are very concerned about leaking your network topology, I would not recommend giving out trace information privatized with the -A50 option. I wouldn't expect this to be the case for most organizations.



greg minshall < minshall@ipsilon.com>