Re: RE: TCP Port randomization paper

[Amit Klein <amit.klein () trusteer com>]

Hi Fernando+BugTraq

Please see my comments below.

...
>
> Well, I guess this is the point at which an engineering
> decision is made. I mean, if one is concerned with traffic
> analysis, then make TABLE_LENGTH as large as possible. e.g.,
> with only 2KB of memory, you could compartmentalize the port
> sapce into 1024 sections.
>
>

Even so, an attacker can poll a section, or several sections (forcing 
the target host to connect to different IP:port combinations), and 
thereby gain a good estimation of the traffic (assuming it is uniformly 
distributed across all sections). Now, that assumption doesn't always 
hold (e.g. if the host only connects to several dozen other hosts), but 
when it does hold, traffic can be measured. True - it is weaker than the 
global attack, but still...

Alternatively, and assuming non-uniform (section-wise) traffic, the 
attacker can start with "scanning" the sections (e.g. connect to port 1 
of the attacker's IP, watch for traffic, then connect to port 2, watch 
for traffic, etc.) - within few thousand iterations (assuming 
TABLE_LENGTH==1024), the section space will be almost completely 
covered. And the attacker will have a good idea of where (i.e. in which 
section(s)) the traffic is. Then the attacker only needs to monitor 
those sections. This assume that the traffic pattern is time-wise 
uniform, of course.

-Amit