Server #14
Merged
Server #14
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When possible probe responses were received but no associated session entry was present, we simply passed the packet onward. As for both UDP and TCP a reserved port should be assigned for reverse traceroute probes, such probe responses are now dropped even with no session present. ICMP is a special case: As we cannot reserve the ID field in the ICMP header, as it is frequently used by classic traceroute/ping to match request and responses, the identifier of such programs may collide with reverse traceroute probes. To mitigate the effects of such rare collisions, any possible ICMP probe responses are passed on if no session exists, which allows classic traceroute/ping to parse those packets.
…on ring_buffer error.
Until now, the ICMP identifier of the probe contained the constant probe id, which is used to check if the response may be an answer to a probe. This has the drawback, that when ping/traceroute are run on the server machine, the ICMP identifier could overlap, leading to ping/traceroutes responses being dropped by reverse traceroute. Now the constant probe identifier is encoded into the ICMP sequence, setting it to the constant value 0xffff. The clients query id is encoded into the probes identifier. This the following advantage: As classic traceroute uses its process id to encode it inside the ICMP identifier of generated probes and sequentially increments the ICMP sequence field to match individual probes with responses, the likelyhood of clashes with a reverse traceroute server is minimal: That is because we chose the highest possible value for the probe identifier to be encoded into the ICMP sequence field. Classic traceroute/ping will terminate before they reach such a high sequence, and even if they do, this will lead to a single response being dropped by the interference of reverse traceroute. Paris-Traceroute on the other hand increments the ICMP identifier and keeps the sequence at 0. There should be no clashes with this tool either.
Introduced new logging type for existing session clashes. Simplified session creation by utilizing return values to determine the error condition instead of relying on multiple calls in turn.
Until now, the probes payload consisted of a 4-byte payload which was computed by simple addition/subtraction to balance out the checksum. As payload computation was fully predictable with the operands set by the client (and extracted by the server from the tr-requests), the client had the ability to create a potentially malicious payload. Now the payload size is increased to 8-bytes, 6 of which are randomly generated. The last 2 bytes are used to balance out the checksum. By introducing randomness into the computation, a malicious user no longer has the ability to take control over the payload.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introducing Probe Randomization
Until now, the probes payload consisted of a 4-byte payload
which was computed by simple addition/subtraction to balance
out the checksum.
As payload computation was fully predictable with the operands
set by the client (and extracted by the server from the tr-requests),
the client had the ability to create a potentially malicious payload
that could be delivered to targets via IP spoofing.
Now the payload size is increased to 8-bytes, 6 of which are pseudo-randomly
generated. The last 2 bytes are used to balance out the checksum.
By introducing randomness into the computation, a malicious user no
longer has the ability to take control over the payload.
Updated ICMP Probe Encoding
Until now, the ICMP identifier of the probe contained the constant probe ID,
which was used to check if the response may be an answer to a probe.
This has the drawback that when ping/traceroute are run on the server
machine, the ICMP identifier could overlap, leading to ping/traceroutes
responses being dropped by reverse traceroute or worse, invalid measurements.
Now the constant probe identifier is encoded into the ICMP sequence,
setting it to the highest possible value
0xffff.The requests query identifier is encoded into the probe's ICMP identifier.
This has the following advantage:
As classic traceroute uses its process ID (or an incremental value) to encode it inside the
ICMP identifier of generated probes and sequentially increments the
ICMP sequence field to match individual probes with responses,
the likelihood of clashes with a reverse traceroute server is
minimal: That is because we chose the highest possible value for the
probe identifier to be encoded into the ICMP sequence field. Classic
traceroute/ping will terminate before they reach such a high
sequence, and even if they do, this will lead to a single response
being dropped by the interference of reverse traceroute.
Paris-Traceroute on the other hand increments the ICMP identifier
and keeps the sequence at 0. There should be no clashes with
this tool either.
Dropping Traceroute Responses with no active Session
All possible reverse traceroute responses are now dropped when no corresponding session can be found by the server.
As both UDP and TCP probes are identified by the source port
1021, a port number reserved for experimental use,traffic should not be disrupted (unless of course other software relies on the use of this port number).
With the updated probe encoding ICMP probes use the sequence
0xffff.Possible responses that reflect this value are therefore dropped as well.