Re: randomizing tcp port binding..

Tue, 26 Oct 1999 06:49:14 -0700 

~ :CyberPsychotic wrote:
~ :
~ :> I could rework the patch to use /dev/random instead though :)
~ :
~ :That doesn't seem like a good idea. The rate at which /dev/random can


Yeah, already noticed this. I think the way (stated bellow) would help to
get around blocking, while still having random port number binded with
high frequency.


~ :generate data is limited by available sources of entropy. If you
~ :exhaust its pool of random numbers, reading from it will block until
~ :it gets enough random bits to generate some more.
~ :A quick check seems to indicate that /dev/random won't be able to
~ :provide enough data for generating ephemeral port numbers unless the
~ :system is *very* lightly loaded.

Indeed. Well, here's how I changed the routine, so we won't get hit even
under heavier loads :

--- linux/net/ipv4/tcp_ipv4.c.orig      Fri Oct 22 15:39:18 1999
+++ linux/net/ipv4/tcp_ipv4.c   Tue Oct 26 20:15:59 1999
@@ -74,6 +74,9 @@
 /* Check TCP sequence numbers in ICMP packets. */
 #define ICMP_MIN_LENGTH 8
 
+/* This should be increased if on higly-loaded systems bind causes delay */
+#define REKEY_TIME 10
+
 /* Socket used for sending RSTs */     
 struct inode tcp_inode;
 struct socket *tcp_socket=&tcp_inode.u.socket_i;
@@ -209,13 +212,30 @@
 static int tcp_v4_get_port(struct sock *sk, unsigned short snum)
 {
        struct tcp_bind_bucket *tb;
-
+       static __u32 rekeyt = 0;
+       static __u32 rand;
+       struct timeval tv;
+
+/* here we deploy something similar to get_secure_tcp_sequence_number */
+
+       do_gettimeofday(&tv);
+       if (!rekeyt || (tv.tv_sec - rekeyt) > REKEY_TIME) {
+               rekeyt=tv.tv_sec;
+               get_random_bytes(&rand,sizeof(rand));
+       }
        SOCKHASH_LOCK();
        if (snum == 0) {
-               int rover = tcp_port_rover;
                int low = sysctl_local_port_range[0];
                int high = sysctl_local_port_range[1];
                int remaining = (high - low) + 1;
+
+       /* both system timer and random bytes sequence are involved
+        * because we regenerate random sequence every REKEY_TIME seconds
+        * and simple increments between rekey regenerations ain't good.
+        * (if we attempted to call get_random_bytes on highly loaded
+        * system too often, it probably would block.
+        */
+               int rover = tcp_port_rover + rand%(jiffies%remaining);
 
                do {    rover++;
                        if ((rover < low) || (rover > high))


--
* Some day this will be a full-fledged user tracking system..
- <linux/sched.h>
                        http://www.kalug.lug.net/fygrave/


-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]

Reply via email to