Re: randomize source port

To: tech-net%NetBSD.org@localhost
Subject: Re: randomize source port
From: "Jeremy C. Reed" <reed%reedmedia.net@localhost>
Date: Fri, 11 Jul 2008 13:12:13 -0500 (CDT)

If anyone wants to test timing, the attached patch also allows you to 
toggle via sysctl.

I tested by doing a loop of socket and connect and close 500000 times but 
didn't notice anything yet. (In fact, I can't detect more than one source 
port so probably done wrong. See second attachment.) I used time to time 
it with net.inet.ip.randomport as 0 and 1.

Index: netinet/in.h
===================================================================
RCS file: /cvsroot/src/sys/netinet/in.h,v
retrieving revision 1.83
diff -u -r1.83 in.h
--- netinet/in.h        25 Jan 2008 21:12:14 -0000      1.83
+++ netinet/in.h        11 Jul 2008 17:57:49 -0000
@@ -142,6 +142,7 @@
  */
 
 #define        IPPORT_RESERVED         1024
+#define IPPORT_RANDOM          0       /* don't randomize by default */
 #define        IPPORT_ANONMIN          49152
 #define        IPPORT_ANONMAX          65535
 #define        IPPORT_RESERVEDMIN      600
@@ -451,7 +452,8 @@
 #define        IPCTL_RANDOMID         22       /* use random IP ids (if 
configured) */
 #define        IPCTL_LOOPBACKCKSUM    23       /* do IP checksum on loopback */
 #define        IPCTL_STATS             24      /* IP statistics */
-#define        IPCTL_MAXID            25
+#define        IPCTL_RANDOMPORT       25       /* enable randomized source 
port */
+#define        IPCTL_MAXID            26
 
 #define        IPCTL_NAMES { \
        { 0, 0 }, \
@@ -479,6 +481,7 @@
        { "random_id", CTLTYPE_INT }, \
        { "do_loopback_cksum", CTLTYPE_INT }, \
        { "stats", CTLTYPE_STRUCT }, \
+       { "randomport", CTLTYPE_INT }, \
 }
 #endif /* _NETBSD_SOURCE */
 
Index: netinet/in_pcb.c
===================================================================
RCS file: /cvsroot/src/sys/netinet/in_pcb.c,v
retrieving revision 1.125
diff -u -r1.125 in_pcb.c
--- netinet/in_pcb.c    5 May 2008 17:11:17 -0000       1.125
+++ netinet/in_pcb.c    11 Jul 2008 17:57:49 -0000
@@ -146,6 +146,7 @@
            ((ntohl((faddr).s_addr) + ntohs(fport)) + \
             (ntohl((laddr).s_addr) + ntohs(lport))) & 
(table)->inpt_connecthash]
 
+int    randomport  = IPPORT_RANDOM;
 int    anonportmin = IPPORT_ANONMIN;
 int    anonportmax = IPPORT_ANONMAX;
 int    lowportmin  = IPPORT_RESERVEDMIN;
@@ -332,6 +333,9 @@
                        mymax = swp;
                }
 
+               if (randomport != 0)
+                       *lastport = mymax - (arc4random() % (mymax - mymin));
+
                lport = *lastport - 1;
                for (cnt = mymax - mymin + 1; cnt; cnt--, lport--) {
                        if (lport < mymin || lport > mymax)
Index: netinet/ip_input.c
===================================================================
RCS file: /cvsroot/src/sys/netinet/ip_input.c,v
retrieving revision 1.272
diff -u -r1.272 ip_input.c
--- netinet/ip_input.c  5 May 2008 17:11:17 -0000       1.272
+++ netinet/ip_input.c  11 Jul 2008 17:57:49 -0000
@@ -2412,6 +2412,13 @@
                       sysctl_net_inet_ip_stats, 0, NULL, 0,
                       CTL_NET, PF_INET, IPPROTO_IP, IPCTL_STATS,
                       CTL_EOL);
+       sysctl_createv(clog, 0, NULL, NULL,
+                      CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+                      CTLTYPE_INT, "randomport",
+                      SYSCTL_DESCR("Enable source port randomization"),
+                      NULL, 0, &randomport, 0,
+                      CTL_NET, PF_INET, IPPROTO_IP,
+                      IPCTL_RANDOMPORT, CTL_EOL);
 }
 
 void
Index: netinet/ip_var.h
===================================================================
RCS file: /cvsroot/src/sys/netinet/ip_var.h,v
retrieving revision 1.87
diff -u -r1.87 ip_var.h
--- netinet/ip_var.h    12 Apr 2008 05:58:22 -0000      1.87
+++ netinet/ip_var.h    11 Jul 2008 17:57:49 -0000
@@ -183,6 +183,7 @@
 extern int   ipforwarding;             /* ip forwarding */
 extern int   ip_mtudisc;               /* mtu discovery */
 extern int   ip_mtudisc_timeout;       /* seconds to timeout mtu discovery */
+extern int   randomport;               /* randomize source port */
 extern int   anonportmin;              /* minimum ephemeral port */
 extern int   anonportmax;              /* maximum ephemeral port */
 extern int   lowportmin;               /* minimum reserved port */

#include <sys/socket.h>
#include <stdio.h>
#include <netinet/in.h>
#include <string.h>

int s, t;
struct sockaddr_in server;

main ()

{

  for (t=0; t<500000; t++) {
        s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

        memset((char *) &server, 0, sizeof(server));
        server.sin_addr.s_addr = inet_addr("127.0.0.1");
        server.sin_family = AF_INET;
        server.sin_port = htons(68);

        if (connect (s, (struct sockaddr *)&server, sizeof(server))) {
                perror ("connect");
        }

        close(s);
  }
  printf("%d\n", t);
}

References:
- randomize source port
  - From: Jeremy C. Reed
- Re: randomize source port
  - From: Steven M. Bellovin

Prev by Date: Re: randomize source port
Next by Date: ARP message padding
Previous by Thread: Re: randomize source port
Next by Thread: Re: randomize source port
Indexes:

Home | Main Index | Thread Index | Old Index