Software Release - fwknop-1.9.6
22 July, 2008
The 1.9.6 release of fwknop is ready for download. This release was made at The Last HOPE conference over the weekend in NYC, and introduces several new features that make SPA traffic more difficult to detect on a network even when an IDS is watching. Previous to the 1.9.6 version of fwknop, it was possible to write Snort rules to detect SPA traffic by looking for invariant artifacts from base-64 encoding and also from encryption operations (both Rijndael and GnuPG). These artifacts are now stripped out by the fwknop client before being transmitted on the wire, and the result is that SPA packets are now more highly randomized. This implies that SPA packets generated by the 1.9.6 release are not compatible with older fwknop deployments by default, but the client does offer command line arguments to maintain compatibility if necessary.Here is an excerpt from the ChangeLog:
- SPA packets are base64-encoded by the fwknop client, and this encoding
pads data with '=' chars until the total length of the encoded data is a
multiple of four. This characteristic can be used within a Snort rule
to assist in the detection of SPA communications. The 1.9.6 release of
fwknop strips out these padding characters before the client sends an
SPA packet, and the fwknopd server adds them back in (to form a multiple
of four) before base64 decoding the packet data. This reduces the level
of identifying information in SPA packets and therefore makes it more
difficult to detect the usage of SPA for service access. For reference,
a Snort rule that would detect SPA packets via the trailing '=' chars
(previous to this release) would be:
alert udp any any -> any 62201 (msg:"fwknop SPA traffic"; dsize:>150; pcre:"/==$/"; sid:20080001; rev:1;)
- According to the 'file' command (via it's 'magic') database, files that
are encrypted with GnuPG begin with 0x8502, and this is true for SPA
packets generated by fwknop (previous to this release). In
fwknop-1.9.6, the "hQ" prefix is removed by the fwknop client and added
back in by the fwknopd server if it doesn't exist. This measure is
another effort to make SPA packets more difficult to detect on the wire,
such as with the following Snort rule:
alert udp any any -> any 62201 (msg:"fwknop GnuPG encrypted SPA traffic"; content:"hQ"; depth:2; dsize:>1000; sid:20080003; rev:1;)
- Updated the fwknop client to randomize the UDP source port for default
SPA packet generation. There is also a new command line argument
--Source-port <port> to allow the user to manually set the source port
on the fwknop client command line. A lot more attention is given now to
source ports after the Dan Kaminsky DNS caching exploit, and it turns
out that even on Linux that the kernel did not randomize UDP source
ports until the 2.6.24 kernel. Of course, any userspace process is free
to request a random port itself, but if a userspace application did not
build this in then it would be up to the kernel to assign a source port.
In the case of Linux, here are two links that show the change to the
kernel code as well as the ChangeLog entry for UDP source port
randomization:
Kernel commit
ChangeLog-2.6.24