[PATCH] Add TCP Stealth support to OpenSSH

Julian Kirsch kirschju at sec.in.tum.de
Tue Nov 11 22:10:15 EST 2014


Hi list,

as revealed earlier this year, secret services are actively scanning the
net for vulnerable services in context of programs like CSEC's LANDMARK
and GCHQ's HACIENDA [0]. We assume that OpenSSH is one of the most
lucrative targets of these programs by using 0-day exploits.

Furthermore, there is a long-running worm on the Internet brute-forcing
access to systems by guessing usernames and passwords, which thanks to
"cloud" computing is virtually impossible to contain. (see, for example,
[1])

TCP Stealth is a IETF draft [2] which has to goal of locking out port
scanners by introducing a symmetric secret which has to be known to both
sides for a connection to succeed. This functionality is mplemented by
patching the respective operating system's kernel - in case of Linux
this is done by the Knock patch [3] which introduces a new setsockopt().

In order to broaden support for TCP Stealth on the user side, we've
created patches for the OpenBSD and Linux versions of OpenSSH which
introduce the -z command line option and a new TCPStealthSecret
configuration option if the running kernel/libc exports the TCP_STEALTH
constant.  (PGP-Signatures of the patch are available at the project
homepage [3].) We would be glad if the maintainers decided to
incorporate our patch into the standard track of OpenSSH.

Best regards,
Julian

---

[0]
http://www.heise.de/ct/artikel/NSA-GCHQ-The-HACIENDA-Program-for-Internet-Colonization-2292681.html
[1]
http://blog.sucuri.net/2013/07/ssh-brute-force-the-10-year-old-attack-that-still-persists.html
[2] http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
[3] https://gnunet.org/knock
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-bsd-knock-patch.diff
Type: text/x-patch
Size: 13791 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141111/6d495591/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-linux-knock-patch.diff
Type: text/x-patch
Size: 19457 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141111/6d495591/attachment-0003.bin>


More information about the openssh-unix-dev mailing list