[PATCH] Ephemeral port randomization

看板DFBSD_submit作者時間21年前 (2004/04/29 14:32), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串1/3 (看更多)
Taken from FreeBSD, commit log from silby@: Switch from using sequential to random ephemeral port allocation, implementation taken directly from OpenBSD. I've resisted committing this for quite some time because of concern over TIME_WAIT recycling breakage (sequential allocation ensures that there is a long time before ports are recycled), but recent testing has shown me that my fears were unwarranted. The original OpenBSD code referenced above has been simplified in FreeBSD, reduced to a few lines. A sysctl has also been added to disable randomization. Index: sys/netinet/in_pcb.c =================================================================== RCS file: /cvs/dcvs/src/sys/netinet/in_pcb.c,v retrieving revision 1.17 diff -u -r1.17 in_pcb.c --- sys/netinet/in_pcb.c 10 Apr 2004 00:10:42 -0000 1.17 +++ sys/netinet/in_pcb.c 25 Apr 2004 18:57:08 -0000 @@ -99,6 +99,9 @@ int ipport_hifirstauto = IPPORT_HIFIRSTAUTO; /* 49152 */ int ipport_hilastauto = IPPORT_HILASTAUTO; /* 65535 */ +/* Shall we allocate ephemeral ports in random order? */ +int ipport_randomized = 1; + static __inline void RANGECHK(int var, int min, int max) { @@ -141,6 +144,8 @@ &ipport_hifirstauto, 0, &sysctl_net_ipport_check, "I", ""); SYSCTL_PROC(_net_inet_ip_portrange, OID_AUTO, hilast, CTLTYPE_INT|CTLFLAG_RW, &ipport_hilastauto, 0, &sysctl_net_ipport_check, "I", ""); +SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, randomized, CTLFLAG_RW, + &ipport_randomized, 0, ""); /* * in_pcb.c: manage the Protocol Control Blocks. @@ -324,6 +329,9 @@ /* * counting down */ + if (ipport_randomized) + *lastport = first - + (arc4random() % (first - last)); count = first - last; do { @@ -341,6 +349,9 @@ /* * counting up */ + if (ipport_randomized) + *lastport = first + + (arc4random() % (last - first)); count = last - first; do { Index: share/man/man4/ip.4 =================================================================== RCS file: /cvs/dcvs/src/share/man/man4/ip.4,v retrieving revision 1.2 diff -u -r1.2 ip.4 --- share/man/man4/ip.4 17 Jun 2003 04:36:59 -0000 1.2 +++ share/man/man4/ip.4 25 Apr 2004 19:06:41 -0000 @@ -175,6 +175,13 @@ and .Sy net.inet.ip.portrange.lowlast . .El +.Pp +Ports are allocated randomly within the specified port range in order +to increase the difficulty of random spoofing attacks. In scenarios +such as benchmarking, this behavior may be undesireable. In these +cases, +.Va net.inet.ip.portrange.randomized +can be used to disable randomization. .Ss "Multicast Options" .Pp .Tn IP -- Skip
更多 skip. 的文章
文章代碼(AID): #10aA5a00 (DFBSD_submit)
更多 skip. 的文章
文章代碼(AID): #10aA5a00 (DFBSD_submit)