Date: 13 Apr 1999 14:54:51 -0400 From: Lowell Gilbert <lowell@world.std.com> To: Keith Stevenson <k.stevenson@louisville.edu>, freebsd-security@freebsd.org Subject: Re: Sequential TCP port allocation? Message-ID: <rd6hfqk1hc4.fsf@world.std.com> In-Reply-To: Keith Stevenson's message of Tue, 13 Apr 1999 12:31:25 -0400 References: <19990412120126.B15762@homer.louisville.edu> <199904131505.LAA21502@cc942873-a.ewndsr1.nj.home.com> <19990413113039.H17083@puck.nether.net> <19990413123125.B25109@homer.louisville.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Keith Stevenson <k.stevenson@louisville.edu> writes: > FreeBSD 2.2.8-STABLE appears to allocate TCP ports in sequential order. ISS > identifies this as a potential security issue. My question is whether or not > a sysctl or other configuration parameter exists which causes TCP ports to be > allocated in a more random order. Furthermore, does anyone know whether or not > FreeBSD 3.1-STABLE exhibits the same port allocation behavior as 2.2.8? Yes, it seems to, and while I haven't got the time at the moment to understand this implementation in depth, it also seems as though changing it to be "more random" might be, um, hard. There is (currently) no list kept of unused ports, so when nearly all of the ports are in use, random sampling could behave very badly indeed in terms of coming up with a port that wasn't already in use. I wonder if starting from a randomly-selected port and counting until you got to an empty one would qualify as "random enough"... > What I do not want is to participate in a debate over whether or not > sequential port allocation is a "real" security exposure. Fair enough, but don't be surprised if the volunteers who you are asking for help are more motivated to look at it if they think it's a "real" problem. Be well. Lowell Gilbert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?rd6hfqk1hc4.fsf>