----- Original Message -----
From: "Aaron P Ingebrigtsen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 29, 2000 12:00 AM
Subject: Re: [Freenet-chat] False nodes
>
> On Wed, 27 Dec 2000 11:29:59 -0600 "Timm Murray" <[EMAIL PROTECTED]>
> writes:
> > OK, now I want to disccuss how to effectivly deploy a false node,
> > possible
> > counter-measures, counter-counter-measures, and so on. At first,
> > an
> > attacker may stop once they get a positive (even a false-positive),
> > but They
> > will stop that once they know about deploying false nodes.
> >
> > First, assume an port scanner will go through ports 1024-MAX_PORT in
> > numaric
> > order. To be effective, a false node should be put at a port lower
> > then
> > your Freenet node. When the false node is tripped, it warns the
> > real node,
> > which then shuts down. A secondary false node (which does not even
> > try to
> > act like a real node with a DH key exchange, etc.) is deployed above
> > the
> > port. When the port scanner hits it, he only notices a silent
> > connection
> > and moves on, but in reality he just gave the real node an all-clear
> > signal.
> >
> > The fact that the secondary node appears silent is important, or an
> > attacker
> > will become suspicous of finding two nodes on the same system.
> > Additionaly,
> > the attacker will know that the real node has to be between the two
> > psedo-true responses and can then scan in between those two ports.
> >
> > To counter this, an attacker can scan in reverse numaric order, thus
> > hitting
> > the silent node first, then the real node, then the false node.
> > Thus, our
> > scheme fails.
> >
> > The counter-counter-measure to this is to deploy false nodes in a
> > cluster.
> > For brevity, this will also counter another trick that could be done
> > by an
> > attacker, which is creating a list of possible ports, choosing one
> > at
> > random, then discarding the ones that come up silent.
> >
> > I have also classified the two types of fake nodes into "psedo-real"
> > for
> > those that act like a real node and "silent" for those that just
> > listen for
> > connections. In the list, silent nodes are listed by an
> > alphabetical ident,
> > psedo-real ones by numaric ident. The port numbers are just
> > examples, not
> > suggestions.
> >
> > n Top of port scan
> > ...
> > 2456 Fake node A (silent)
> > ...
> > 3682 Fake node1 (psedo-real)
> > ...
> > 3894 Fake node B (silent)
> > ...
> > 4572 Fake node 2 (psedo-real)
> > ...
> > 4758 Fake node C (silent)
> > ...
> > 8902 Real node
> > ...
> > 9126 Fake node D (silent)
> > ...
> > 10235 Fake node 3 (psedo-real)
> > ...
> > 10654 Fake node E (silent)
> > ...
> > 16534 Fake node 4 (psedo-real)
> > ....
> > 19384 Fake node F (silent)
> >
> > Note that the fake nodes are actualy the same program running
> > multiple
> > threads with a common event handler for communication. For the
> > reasons of
> > saving computer resources, I suggest this program be writtent in C
> > or C++,
> > not Java.
> >
> > When a port scan is done, the program attempts to classify it into
> > three
> > types:
> >
> > 1) A numaric-order scan. In this case, it will hit A first, then
> > 1, then
> > B. A reconginzies a scan on its port and since nothing but a port
> > scan
> > would be trying to connect to it, it warns the others. Once the
> > port scan
> > reaches 1, the psedo-real node there warns all others. At this
> > point, all
> > psedo-real nodes become silent until an all-clear signal is given by
> > F
> > (except A, which completes its false exchange with the port scanner
> > and then
> > runs silent) and the real node is taken off-line. The port scanner
> > passes
> > by the real node, then hits D, which gives an all-clear signal to
> > the real
> > node, which then begins normal operations again. The rest of the
> > fake nodes
> > stay silent, but psedo-real ones come back up upon the port scanner
> > hitting
> > their port. Then the scan hits F, which gives an all-clear to
> > everyone.
> >
> > 2) Reverse-numaric order. Just like above, except the program sees
> > the
> > attack hit F first, then 4, then E, and so on, altering the above
> > meathod as
> > nessary.
> >
> > 3) Random list. I don't think there is a solid answer to this (at
> > least as
> > relatively sold as the last two). The best we can do is count on
> > the scan
> > hitting a false node first, which warns the other. This requires a
> > saftey-in-numbers of false nodes. To get a confirmed type of random
> > list
> > attack, the attack must hit any false node first, then another false
> > node
> > not next to that same false node. When it hits the first node (say,
> > D), it
> > warns everyone to rig for silent running. When it hits a second
> > non-adjecent false node (say, 3), it confirms a random-list attack
> > and
> > doesn't give an all-clear to the node until all ports running false
> > nodes
> > are hit, including the real-node port.
> >
> > Whew, enough typing for now.
>
> Wow, I'm impressed. I think that would work really well, unless the
> first node a random list port scan hits is the real node, in which case,
> your screwed. Would They be able to somehow get lists of IPs and ports
> the same way freenet nodes do? If they are able to, thats bad. If not,
> yay. :)
Yeah: Run a node. In any case, this is just to make you safe from port
scanning, which may or may not be what MediaEnforcer is doing (I don't think
so, due to the inefficency of port scanning large blocks of IPs, but since
nobody knows for sure, I'd like to be safe from all possibilities). If it
becomes illegal just to have a node, then all your false nodes can run
silently and They will just pass by your computer.
_______________________________________________
Freenet-chat mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/mailman/listinfo/freenet-chat
