LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Single Packet Authorization (Linux Journal)

Single Packet Authorization (Linux Journal)

Posted Mar 6, 2007 2:34 UTC (Tue) by tialaramex (subscriber, #21167)
Parent article: Single Packet Authorization (Linux Journal)

The main thing people seem to be looking for is a way to disadvantage bulk scanners. But that already exists, as a production system, in the form of IPv6. Bulk scanning IPv6 networks is not practical because of the much larger address space, so you can hide the entire machine, rather than just a service port, by simply neglecting to publicise its existence. With your SSH server using just one or two addresses in a LAN that has many billions of possible addresses, script kiddies simply can't find you. Once they start losing all the time, "find the SSH server" stops being a fun game and most script kiddies won't even bother trying any more.

Modern DNS servers no longer offer transfers to unknown third parties, so if you don't tell anyone that "panda.toys.example.com" is your IPv6 SSH server, there's no practical way for them to find out that it even exists, let alone that it's vulnerable to a brand new SSH vulnerability.

Of course this doesn't protect you against a sophisticated criminal, who might be shoulder-surfing your SSH server address at the same time he snoops on your passphrase and pickpockets your SecureID keyring. Resourceful attackers remain a significant threat, but eliminating the chaff we all deal with every day from script kiddies would even help to make the serious stuff more visible. If your IDS flagged one intrusion attempt per month you'd investigate, but on today's crowded IPv4 networks the IDS may be logging a hundred potentially serious incidents per hour, 24/7, until you switch it off altogether

(Log in to post comments)

Single Packet Authorization (Linux Journal)

Posted Mar 6, 2007 15:32 UTC (Tue) by bronson (subscriber, #4806) [Link]

"you can hide the entire machine, rather than just a service port, by simply neglecting to publicise its existence."

Once that machine emits a single packet (of ANY type), its cover is blown. That doesn't sound like very effective security to me.

Single Packet Authorization (Linux Journal)

Posted Mar 7, 2007 9:32 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

Earlier in these same comments you seemed to understand that there are two major categories of attacker.

Script kiddies can't search 2^128 addresses, or even the much smaller but still vast IPv6 range actually allocated and in service, nor can a worm. On the whole the script kiddies aren't very smart, but if they persist in scanning anyway they're just wasting their time and a little bit of everyone's bandwidth until they learn better. Script kiddies don't have access to your traffic logs, or an optical splitter in your ISPs fibre, so they can't tell when your machine "emits a single packet". So IPv6 makes Internet scale scanning go away. That means no false alarms, packets arriving at your machines were directed at you, not just sent to randomly generated IP addresses.

Sophisticated attackers probably aren't interested in you. If they are, the thing keeping you safe is SSH itself, and if you have a vulnerability then they doubtless know about it and will be inside your network before you even read the security advisory. Port knocking is, if anything, adding to the cracks in the wall.

I find it odd that you seem to claim maintaining complicated "knocking" rituals for every server is less effort than managing SSH public key crypto. If you really meant that you don't have any security at all inside your network and rely on port knocking to protect a /gateway/ machine, then might I suggest that you manage SSH public key crypto just for that machine (and get some more security)?

Single Packet Authorization (Linux Journal)

Posted Mar 7, 2007 16:31 UTC (Wed) by bronson (subscriber, #4806) [Link]

A few thoughts...

If you're saying that hiding a machine deep in IPv6 space is poor security, just like port knocking is poor security, then we are in agreement. :)

I use the same knock sequence on every server. Port knocking is bad security, why pretend otherwise? But, here's the thing: even a simple, static 3-port sequence significantly raises the bar to touching the good security. With port knocking, when I see multiple failed login attempts in my logs, I know that something is wrong and I'll bring the heavy immediately.

Port knocking is not about adding more security. It's about eliminating the noise that would otherwise hide a determined attacker.

As I said before, I do have pubkey login on every ssh machine I maintain. We pubkey users seem to be a tiny minority, unfortunately. I was just explaining why I think that many admins either don't do it or, if they try, do it badly. It's takes forethought to securely scale up to many admins on many machines. It isn't plug-and-chug.

Because port knocking can be done entirely with iptables rules, it doesn't need to add appreciably to your threat surface. It just adds the 'recent' module, which seems to be a well written module. SPA, with its dedicated listening daemon, adds significantly to your threat surface. A quick google search finds this article, which appears to be good but isn't the one I followed: http://www.soloport.com/iptables.html .

Here's a much more thorough treatement that I just found: http://web.mac.com/s.j/iWeb/Security/Port%20Knocking%20an... I haven't read the whole thing yet but, reading the conclusion, I think Sebastien Jeanquier is spot on.

Does that make my position a little more clear?

Single Packet Authorization (Linux Journal)

Posted Mar 7, 2007 18:28 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

Yes, your position is more clear, I think we're pretty much on the same wavelength about what the problems are and the extent to which different techniques are appropriate, it's just that I don't agree with your choice of solution (although I agree it's working for you). I prefer elegant solutions, and I see sparse addresses as elegant while secret handshakes are not. I haven't any data as to which is more effective in practice.

Adding "more" iptables rules would constitute a non-negligible increase in attack surface for me because I don't currently use, or intend to use, iptables. Of course you could argue that using IPv6 at all, even during the lengthy (perhaps a decade or more still) transition period also increases the attack surface, but if you view IPv6 as inevitable then finding any security problems in it now seems like a good up-front investment.

My original purpose in mentioning this was to justify why I think scanning is mostly a transitory problem not worthy of creating specialised protocols and tools like the one in the article.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds