<html><body>
<p>Huzeyfe ONAL wrote me to mention that he had tested OpenBSD's pf and found that it was assigning random ports for every new connection. Some references [1], [2] seem to confirm this. The interesting thing about this approach is that it may protect vulnerable DNS servers from attack if they are placed behind it. <br>
<br>
Also, a coworker directed me to this really excellent Internet Draft on port randomization: <a href="http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-port-randomization-01.txt">http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-port-randomization-01.txt</a><br>
<br>
[1] <font size="4"><a href="http://www.openbsd.org/papers/asiabsdcon07-network_randomness/mgp00020.html">http://www.openbsd.org/papers/asiabsdcon07-network_randomness/mgp00020.html</a></font><br>
<font size="4">[2] </font><font size="4"><a href="http://www.openbsd.org/faq/pf/nat.html">http://www.openbsd.org/faq/pf/nat.html</a></font><font size="4"> (note the mention of source port randomization)</font> <br>
<br>
<img width="16" height="16" src="cid:1__=08BBFE15DFFDEB688f9e8a93df938@us.ibm.com" border="0" alt="Inactive hide details for "Riad S. Wahby" <rsw@jfet.org>">"Riad S. Wahby" <rsw@jfet.org><br>
<br>
<br>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td style="background-image:url(cid:2__=08BBFE15DFFDEB688f9e8a93df938@us.ibm.com); background-repeat: no-repeat; " width="40%">
<ul>
<ul>
<ul>
<ul><b><font size="2">"Riad S. Wahby" <rsw@jfet.org></font></b><font size="2"> </font>
<p><font size="2">07/10/2008 11:06 PM</font></ul>
</ul>
</ul>
</ul>
</td><td width="60%">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="1%"><img width="58" height="1" src="cid:3__=08BBFE15DFFDEB688f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<div align="right"><font size="2">To</font></div></td><td width="100%"><img width="1" height="1" src="cid:3__=08BBFE15DFFDEB688f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<font size="2">Thomas Cross/Atlanta/IBM@IBMUS</font></td></tr>
<tr valign="top"><td width="1%"><img width="58" height="1" src="cid:3__=08BBFE15DFFDEB688f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<div align="right"><font size="2">cc</font></div></td><td width="100%"><img width="1" height="1" src="cid:3__=08BBFE15DFFDEB688f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<font size="2">full-disclosure@lists.grok.org.uk</font></td></tr>
<tr valign="top"><td width="1%"><img width="58" height="1" src="cid:3__=08BBFE15DFFDEB688f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<div align="right"><font size="2">Subject</font></div></td><td width="100%"><img width="1" height="1" src="cid:3__=08BBFE15DFFDEB688f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<font size="2">Re: DNS and NAT (was: DNS and CheckPoint)</font></td></tr>
</table>
<table border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="58"><img width="1" height="1" src="cid:3__=08BBFE15DFFDEB688f9e8a93df938@us.ibm.com" border="0" alt=""></td><td width="336"><img width="1" height="1" src="cid:3__=08BBFE15DFFDEB688f9e8a93df938@us.ibm.com" border="0" alt=""></td></tr>
</table>
</td></tr>
</table>
<br>
<tt>Thomas Cross <tcross@us.ibm.com> wrote:<br>
> We've also been wondering whether NAT devices ought to randomly assign<br>
> UDP source ports, although no NAT vendor that wea**re aware of has done<br>
> this to date.<br>
<br>
Some quick testing implies that ipchains MASQUERADE-based NAT doesn't<br>
suffer this problem because it preserves the source port.<br>
<br>
My test setup is as follows: call the computer inside the NAT Alice, and<br>
the computer outside Bob. Alice contacts Bob via Trent, a linux-based<br>
router, in my case a DLink DSL-2540B DSL modem / router combo. On<br>
Alice, I run the following:<br>
<br>
( for j in $(seq 1 100); do i=$RANDOM; /bin/echo -n "$i "; echo $i | nc -q 0 -vv -p $i -u <Bob> 5555; sleep 1; done ) &> foo.Alice<br>
<br>
On Bob, I run <br>
<br>
( while true; do nc -vv -l -u -p 5555 -q 0 </dev/null; done ) &> foo.Bob<br>
<br>
At the end, I compare the actual source port in foo.Alice to the<br>
apparent source port in foo.Bob. In my setup, they are always<br>
identical.<br>
<br>
Obviously it is impossible to guarantee that this will always be the<br>
case; in order to identify dangerous corner cases one would have to<br>
consult the ipchains code, but given the relative frailty of the<br>
randomized source port / randomized sequence number solution, for a<br>
small number of computers behind a NAT (e.g., home users) I claim that's<br>
a second-order danger at best.<br>
<br>
In a large production environment where there is a huge amount of NAT<br>
traffic being generated one would do well to consider a solution like<br>
Thomas's suggestion that the servers be moved outside the firewall.<br>
<br>
-=rsw<br>
</tt><br>
</body></html>