[mosh-devel] Concerns about mosh's security at the Broad Institute
Keith Winstein
keithw at cs.stanford.edu
Sun Aug 9 14:54:35 EDT 2015
On Sat, Aug 8, 2015 at 7:36 AM, C.v.St. <stucki-spam at t-online.de> wrote:
> The more ports of a host are not firewalled, the more ports an attacker
> can use to send faked packets to, to provoke (e.g.) misdirected 'ICMP
> PORT UNREACHABLE' responses to a third party. So opening more ports
> makes somebody unknown elsewhere more vulnerable and makes a 'local
> server' machine more suspect. So some people strictly minimize the
> number of visible ports to the outside to only a few well known ports.
I don't follow this argument about how "opening more ports makes
somebody unknown elsewhere more vulnerable" -- am I missing something
here?
>From some quick measurements, Linux throttles its ICMP port
unreachable messages on a total outgoing basis.
It doesn't matter how many ports you have open -- 1,000 incoming
datagrams to the same port will get the same number of IP port
unreachables as 1 incoming datagram directed to each of 1,000 ports.
It doesn't matter whether the IP datagrams are TCP or UDP. (ICMP port
unreachables are sent in reply to both.)
It doesn't even matter whether a socket is listening on that port or
not. If something is listening, Linux will respond with a TCP SYNACK
(if TCP) or a Mosh reply message (if Mosh and if the incoming datagram
passed the integrity check against the shared secret key). If nothing
is listening, Linux will respond with an ICMP port unreachable. A TCP
SYNACK can be larger than an ICMP port unreachable.
In all these cases, an incoming IP datagram earns a reply to the
apparent IP source address -- but there is no significant
amplification.
So I don't follow the concern here. If an institution is really
worried about ICMP, it should block ICMP. But in what respect is an
ICMP port unreachable reply, when directed to a third party, more
harmful than a TCP SYNACK or other reply? (Mosh in general fixes this
problem of third-party attacks by not responding to anything unless it
passes the integrity check.)
-Keith
More information about the mosh-devel
mailing list