[PATCH] Ephemeral port randomization

Skip Ford skip.ford at verizon.net
Wed Apr 28 15:06:18 PDT 2004


Taken from FreeBSD, commit log from silby@:

  Switch from using sequential to random ephemeral port allocation,
  implementation taken directly from OpenBSD.
  
  I've resisted committing this for quite some time because of concern over
  TIME_WAIT recycling breakage (sequential allocation ensures that there is a
  long time before ports are recycled), but recent testing has shown me that
  my fears were unwarranted.

The original OpenBSD code referenced above has been simplified in
FreeBSD, reduced to a few lines.  A sysctl has also been added to
disable randomization.


Index: sys/netinet/in_pcb.c
===================================================================
RCS file: /cvs/dcvs/src/sys/netinet/in_pcb.c,v
retrieving revision 1.17
diff -u -r1.17 in_pcb.c
--- sys/netinet/in_pcb.c	10 Apr 2004 00:10:42 -0000	1.17
+++ sys/netinet/in_pcb.c	25 Apr 2004 18:57:08 -0000
@@ -99,6 +99,9 @@
 int ipport_hifirstauto = IPPORT_HIFIRSTAUTO;	/* 49152 */
 int ipport_hilastauto = IPPORT_HILASTAUTO;	/* 65535 */
 
+/* Shall we allocate ephemeral ports in random order? */
+int ipport_randomized = 1;
+
 static __inline void
 RANGECHK(int var, int min, int max)
 {
@@ -141,6 +144,8 @@
 	   &ipport_hifirstauto, 0, &sysctl_net_ipport_check, "I", "");
 SYSCTL_PROC(_net_inet_ip_portrange, OID_AUTO, hilast, CTLTYPE_INT|CTLFLAG_RW,
 	   &ipport_hilastauto, 0, &sysctl_net_ipport_check, "I", "");
+SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, randomized, CTLFLAG_RW,
+	   &ipport_randomized, 0, "");
 
 /*
  * in_pcb.c: manage the Protocol Control Blocks.
@@ -324,6 +329,9 @@
 			/*
 			 * counting down
 			 */
+			if (ipport_randomized)
+				*lastport = first - 
+					    (arc4random() % (first - last));
 			count = first - last;
 
 			do {
@@ -341,6 +349,9 @@
 			/*
 			 * counting up
 			 */
+			if (ipport_randomized)
+				*lastport = first + 
+					    (arc4random() % (last - first));
 			count = last - first;
 
 			do {
Index: share/man/man4/ip.4
===================================================================
RCS file: /cvs/dcvs/src/share/man/man4/ip.4,v
retrieving revision 1.2
diff -u -r1.2 ip.4
--- share/man/man4/ip.4	17 Jun 2003 04:36:59 -0000	1.2
+++ share/man/man4/ip.4	25 Apr 2004 19:06:41 -0000
@@ -175,6 +175,13 @@
 and
 .Sy net.inet.ip.portrange.lowlast .
 .El
+.Pp
+Ports are allocated randomly within the specified port range in order
+to increase the difficulty of random spoofing attacks.  In scenarios
+such as benchmarking, this behavior may be undesireable.  In these
+cases,
+.Va net.inet.ip.portrange.randomized
+can be used to disable randomization.
 .Ss "Multicast Options"
 .Pp
 .Tn IP


-- 
Skip





More information about the Submit mailing list