Open TCP or UDP ports on an internet-facing host can be worrisome to an
administrator, they almost feel like an invitation to an
attacker. If an unknown or unpatched vulnerability is running behind the
port, the host could be compromised. Admins have come up with some
reasonable ways to deflect the simplest of these attacks: changing the
well-known port or port knocking. The
new shimmer project provides
a twist, by using cryptographic techniques to choose the port to open.
The basic idea is that one port (within a chosen range) will be open to
real traffic of the service that the admin wants to hide – ssh or a private
web server for example. The number of that port will be able to be
calculated by both client and server using a secret that they share. A
client that connects to the proper port gets forwarded to the real
service. In addition to the proper port, 15 other ports are opened and
connected to a blacklist service. Any connection made to those ports will
result in the source IP address being banned for 15 minutes. The server
redoes the calculation each minute, coming up with a new set of 16 ports
– one good and 15 bad.
In order to calculate the port number, the shared secret (key) is combined
with the time (to the nearest minute), and the name of the service, then hashed using SHA-256. The hash is used as an AES
key to encrypt the numbers 0 through 15. Those values are mapped into the
port range and serve as the 16 port numbers for that minute. In order to
handle small clock variations between client and server, the server
actually keeps each set of 16 open for three minutes – adding the set
for the minutes before and after the current one.
While this seems like it provides a great deal of security to hide an open
port behind, in reality it is more showy than useful. As with simple port
knocking, or changing the well-known port number, it is vulnerable to an
attacker that can monitor traffic to the server and observe successful
connections. Shimmer leaves three ports wide open at any given time with
45 ports that will cause an IP to get blacklisted. Depending on the size
of the port range chosen, the odds aren't that bad of randomly
guessing the right port. Someone with few thousand IP addresses to use
probably won't have any difficulty.
Much like the other techniques, shimmer will likely deflect all but the most
determined of attackers, but is unlikely to provide much in the way of
a barrier against those. It sounds attractive and uses cryptographic terms
and techniques which may make it seem more secure than it really is. Using
it without understanding this could lead to a false sense of security.
to post comments)