[PATCH] Ephemeral port randomization
Skip Ford
skip.ford at verizon.net
Wed Apr 28 15:06:18 PDT 2004
Taken from FreeBSD, commit log from silby@:
Switch from using sequential to random ephemeral port allocation,
implementation taken directly from OpenBSD.
I've resisted committing this for quite some time because of concern over
TIME_WAIT recycling breakage (sequential allocation ensures that there is a
long time before ports are recycled), but recent testing has shown me that
my fears were unwarranted.
The original OpenBSD code referenced above has been simplified in
FreeBSD, reduced to a few lines. A sysctl has also been added to
disable randomization.
Index: sys/netinet/in_pcb.c
===================================================================
RCS file: /cvs/dcvs/src/sys/netinet/in_pcb.c,v
retrieving revision 1.17
diff -u -r1.17 in_pcb.c
--- sys/netinet/in_pcb.c 10 Apr 2004 00:10:42 -0000 1.17
+++ sys/netinet/in_pcb.c 25 Apr 2004 18:57:08 -0000
@@ -99,6 +99,9 @@
int ipport_hifirstauto = IPPORT_HIFIRSTAUTO; /* 49152 */
int ipport_hilastauto = IPPORT_HILASTAUTO; /* 65535 */
+/* Shall we allocate ephemeral ports in random order? */
+int ipport_randomized = 1;
+
static __inline void
RANGECHK(int var, int min, int max)
{
@@ -141,6 +144,8 @@
&ipport_hifirstauto, 0, &sysctl_net_ipport_check, "I", "");
SYSCTL_PROC(_net_inet_ip_portrange, OID_AUTO, hilast, CTLTYPE_INT|CTLFLAG_RW,
&ipport_hilastauto, 0, &sysctl_net_ipport_check, "I", "");
+SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, randomized, CTLFLAG_RW,
+ &ipport_randomized, 0, "");
/*
* in_pcb.c: manage the Protocol Control Blocks.
@@ -324,6 +329,9 @@
/*
* counting down
*/
+ if (ipport_randomized)
+ *lastport = first -
+ (arc4random() % (first - last));
count = first - last;
do {
@@ -341,6 +349,9 @@
/*
* counting up
*/
+ if (ipport_randomized)
+ *lastport = first +
+ (arc4random() % (last - first));
count = last - first;
do {
Index: share/man/man4/ip.4
===================================================================
RCS file: /cvs/dcvs/src/share/man/man4/ip.4,v
retrieving revision 1.2
diff -u -r1.2 ip.4
--- share/man/man4/ip.4 17 Jun 2003 04:36:59 -0000 1.2
+++ share/man/man4/ip.4 25 Apr 2004 19:06:41 -0000
@@ -175,6 +175,13 @@
and
.Sy net.inet.ip.portrange.lowlast .
.El
+.Pp
+Ports are allocated randomly within the specified port range in order
+to increase the difficulty of random spoofing attacks. In scenarios
+such as benchmarking, this behavior may be undesireable. In these
+cases,
+.Va net.inet.ip.portrange.randomized
+can be used to disable randomization.
.Ss "Multicast Options"
.Pp
.Tn IP
--
Skip
More information about the Submit
mailing list