Re: nping echo protocol security

["Luis MartinGarcia." <luis.mgarc () gmail com>]

On 07/25/2011 08:07 PM, Toni Ruottu wrote:
>   Luis,
>
> What are the security implications for a box that is running a public
> nping server? Does it follow that anyone can capture all traffic sent
> to that box? Regardless of the answer, I think the protocol
> specification should have a chapter on this.
>
>   --Toni

Hi Toni,

As you know, Echo servers can handle multiple simultaneous clients
running multiple echo sessions in parallel. The problem is that when
many clients are connected to the server, as it captures all the traffic
that reaches its network interface, it must be able to determine which
captured packets belong to which clients. To do this, the server
implements a packet matching engine. When a packet is captured, the
server analyzes it, and picks the client that is likely to have produced
the packet. I have implemented many security measures to prevent a
packet from being echoed to the wrong client. However, I cannot
guarantee that the server gets it right 100% of the time.

So the security implications of running a public nping echo server are
that some malicious client might find a way to receive echoed packets
that were not generated by him. I find this very unlikely, but there is
always a risk. However, Nping now implements the --safe-payloads option,
which zeroes the content of any application layer data before echoing a
packet. This should minimize the risks. When such option gets more
testing, we'll probably enable it by default.

About the protocol specification, yes, it could be more complete. I'll
add a TODO item for it.

Regards,

Luis MartinGarcia.







_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/