OK, now I want to disccuss how to effectivly deploy a false node, possible
counter-measures, counter-counter-measures, and so on. At first, an
attacker may stop once they get a positive (even a false-positive), but They
will stop that once they know about deploying false nodes.
First, assume an port scanner will go through ports 1024-MAX_PORT in numaric
order. To be effective, a false node should be put at a port lower then
your Freenet node. When the false node is tripped, it warns the real node,
which then shuts down. A secondary false node (which does not even try to
act like a real node with a DH key exchange, etc.) is deployed above the
port. When the port scanner hits it, he only notices a silent connection
and moves on, but in reality he just gave the real node an all-clear signal.
The fact that the secondary node appears silent is important, or an attacker
will become suspicous of finding two nodes on the same system. Additionaly,
the attacker will know that the real node has to be between the two
psedo-true responses and can then scan in between those two ports.
To counter this, an attacker can scan in reverse numaric order, thus hitting
the silent node first, then the real node, then the false node. Thus, our
scheme fails.
The counter-counter-measure to this is to deploy false nodes in a cluster.
For brevity, this will also counter another trick that could be done by an
attacker, which is creating a list of possible ports, choosing one at
random, then discarding the ones that come up silent.
I have also classified the two types of fake nodes into "psedo-real" for
those that act like a real node and "silent" for those that just listen for
connections. In the list, silent nodes are listed by an alphabetical ident,
psedo-real ones by numaric ident. The port numbers are just examples, not
suggestions.
n Top of port scan
...
2456 Fake node A (silent)
...
3682 Fake node1 (psedo-real)
...
3894 Fake node B (silent)
...
4572 Fake node 2 (psedo-real)
...
4758 Fake node C (silent)
...
8902 Real node
...
9126 Fake node D (silent)
...
10235 Fake node 3 (psedo-real)
...
10654 Fake node E (silent)
...
16534 Fake node 4 (psedo-real)
....
19384 Fake node F (silent)
Note that the fake nodes are actualy the same program running multiple
threads with a common event handler for communication. For the reasons of
saving computer resources, I suggest this program be writtent in C or C++,
not Java.
When a port scan is done, the program attempts to classify it into three
types:
1) A numaric-order scan. In this case, it will hit A first, then 1, then
B. A reconginzies a scan on its port and since nothing but a port scan
would be trying to connect to it, it warns the others. Once the port scan
reaches 1, the psedo-real node there warns all others. At this point, all
psedo-real nodes become silent until an all-clear signal is given by F
(except A, which completes its false exchange with the port scanner and then
runs silent) and the real node is taken off-line. The port scanner passes
by the real node, then hits D, which gives an all-clear signal to the real
node, which then begins normal operations again. The rest of the fake nodes
stay silent, but psedo-real ones come back up upon the port scanner hitting
their port. Then the scan hits F, which gives an all-clear to everyone.
2) Reverse-numaric order. Just like above, except the program sees the
attack hit F first, then 4, then E, and so on, altering the above meathod as
nessary.
3) Random list. I don't think there is a solid answer to this (at least as
relatively sold as the last two). The best we can do is count on the scan
hitting a false node first, which warns the other. This requires a
saftey-in-numbers of false nodes. To get a confirmed type of random list
attack, the attack must hit any false node first, then another false node
not next to that same false node. When it hits the first node (say, D), it
warns everyone to rig for silent running. When it hits a second
non-adjecent false node (say, 3), it confirms a random-list attack and
doesn't give an all-clear to the node until all ports running false nodes
are hit, including the real-node port.
Whew, enough typing for now.
_______________________________________________
Freenet-chat mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/mailman/listinfo/freenet-chat
