Slashdot Mirror
Security Through Varying IPs
alanjstr writes "Reuters is reporting that an ex-CIA director and ex-KGB man have come together and developed a new way of 'hiding' internet communications. It does this by IP hopping: 'The Invicta system uses special cards to link protected computers to a central control unit. It lets clients decide how often they wish to vary IP addresses and specify which applications may be accessed on their network.'" I've always wondered if there could be a way through software to do this. Of course, a centralized server would need to route which would be a major bandwidth bottleneck.
it's called a "Dial-up account", and I've been using it's security feature of random IP addresses (aka "dynamic" IP) for years. News sure travels slowly huh
ZKS's Freedom is SOOOOO much better than this product it's rediculous. This is so far from revolutionary I doubt serious security people will pay much attention to it.
sigs are a waste of space
Been there, done that, downloaded the kernel t-patch. :)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Second, don't the packets contain things like the MAC address of the ethernet card?
Yes, but this changes with every hop of the packet. The initial MAC ID is from your computer, and is the MAC ID of your NIC.
Once this packet hits the first router, it forwards the packet and it now contains the MAC ID of the router's NIC.
The only time tracking MAC IDs is usefull is if you are on a broadcast LAN, like ethernet w/ dumb hubs, and you can sniff traffic. Otherwise, its all the routers/switches MACs...
I think it's more like iptables -t nat -A POSTROUTING -s internalnet -j SNAT --to 10.1.1.1-10.1.1.254. Whoopie. My firewall has been doing that since I stuck iptables on it. I wouldn't think that it'd take much to randomly select a source IP instead of the current sequential selection...
How am I supposed to use IP based authentication on a moving target user? It's hard enough authenticating PPP(oE)/dhcp users. hosts.allow would have to become a process to let legitimate users in, and as such, security is weakened. What if the process freaks out, segfaults, zombies.....what about IP spoofing as eggshell code?
Do I have to prompt for a kerberos session every time the IP changes during a session? How easy would it be to hijack the session by fooling the stack into thinking that it legitimately changed to the attacker's IP? How easy would it be to DoS via spoofing parts of the protocol?
Frequency hopping radios are nifty, but we're not talking about beaming light. IP is much more complicated, and has more weak points.
"Let him go, Ralph. He knows what he's doing." --Otto Mann (simpsons)
Or frequency hopping. Indeed, I don't see why you need a "special card" or a central server, so long as the machines involved can agree on an IP sequence and the timing.
If you wanted to get fancy you could simultaneously assign several IPs and spread the packets amongst them (as well as periodically changing the IPs), to really confuse someone doing traffic analysis.
-- Alastair
Obscurity is only bad when it's the sole basis of your security measures. It is still an important part of any security system.
This is not about securing a system, it's about making it harder to find, period, as you said.
If I understand IP well enough. All they seem to do is spoof to another IP every 0.x seconds. Hence probably the billions of IP addresses too.
Maybe they have a lot of destination addresses too, but somewhere, somehow this has to be routed to the receiving end. Of course, it could be the central server, but then that would be nothing but a router.
Of course, one could also split an encrypted file/text in blocks, and send those in a particular order to/from a number of IP addresses. Kind of like a key. But that would be a pointless excercise: from 8ip's to 8 ip's would be equivalent to 6 bits extra keyspace (2^6 possibilities). It would just be just a little harder to get all of the traffic.
----------------------------------------------
the pun is mightier than the sword
That's not how IPv6 is allocated. Check out RFC1884. First off, provider-based addresses only have 1/8 of the total address space (that's you, me and Slashdot). What's worse is much of that (45 bits) is allocated to service provider identification.
You'll basically have an SLA ID (Site-Level Aggregation Identifier) of 16 bits and an Interface ID of 64 bits. How can any company need more than this? Well, for starters, every company I know of over 1000 employees has many service providers for different divisions, acquired companies, failover, etc. Since those high 48 bits are used to identify unicast addressing and an ISP, you will have to have multiple SLA ID blocks....
When I posted, I thought the Interface ID was only 32 bits, so this is a much better situation. Certainly in a world where people allocate addresses as efficiently as we did in the early days of IPv4, we need not worry.
I give IPv6 unicast address space 10 years (5 more than my previous estimate) before we run out, and have to start chopping up the IPX space to give out....
The number was not 1 billion in the article, it was "billions", so your comment, "Now as we all know, 32 bits is roughly 1 billion
No, the space given to companies is very generous (vastly moreso than with v4) but if companies start planning based on using 32 bits per unique device, we won't last very long....
Assertion of fact 1: There are 64+16 bits of address available per ISP customer entity in IPv6. How the first 16 are managed is still slightly up in the air, and may not be available to the customer to directly manipulate.
Assertion of fact 2: The article suggested that using "billions" of IP addresses per device would soon be reasonable. Because of "increases in cyberspace".
Assertion of fact 3: Most medium-to-large companies will (conservatively) use 8-16 bits on subnetting, regardless of their actual need. How do I know this? Every such company I've interacted with ALREADY uses that much space in private addressing, and every one of them that I've spoken to plans to allocate IPv6 space to all of their private addresses, even if they're non-routable. This fact is based on the speculation that they will follow through with their plans, and that I've seen a representitive sample.
Extrapolation/Speculation 1: If companies start thinking in terms of using 32 bits of address for a single device (64 TIMES the normal allocation per device), you'll start seeing more abuses balooning out from there (I cite a major backbone provider that currently uses two
Extrapolation/Speculation 2: Given about 16 bits of subnetting space left over for your average large company on day one and the above speculation, I expect that to get used up in about 5-10 years. Why? Well, for one 5-10 years is the span of time that it took to go from "class B addresses are being restricted" to "we're breaking up class As to avoid an IP address crisis" in the 32-bit address space. Also, in the next 5-10 years, I expect to see 1) every household in the US and other major nations become IPv6 address space consumers 2) easily an order of magnitude more multi-home companies 3) massive need for routable IPs in pupblic places on wireless LANs. Take the coffee shop in Mountain View (Dana St Roasting Company) as an example. Such a place will need to allocate 128 IPs even if their peak crowd of 128 users all have IPs in every other public place that they use the network.
5 years was never a hard number in my original message, and when I found out that the allocation was 64 not 32 bits per customer, I backed off to "5-10" years, but there's no argument that before that article showed up 128-bit addresses seemed like a whole hell of a lot more network, and the end of IPv6 address space may have just become visible on the horizon....
Then again, I thought that IPv4 addresses were too limited back in '89 and admitted that I was wrong in '91.... It's a matter of perspective and experience that makes us able to critique the past so clearly; I doubt that all of what I've said here will be certain.
Company X has 100 applications that require a VPN (say, 100 data feed vendors). So, they do the usual IP address math that big companies do (round up the the nearest obscene order of magnitude). So, a billion addresses per application is roughly 32 bits.
Now, I need about 100 of those, but clearly growth is a concern, so let's say I need about 8 bits worth.
Ok, so before that company even gets off the ground. Before they even start deploying IPv6 on their servers, desktops, etc. They're using 256 COMPANIES worth of standard IPv6 allocation. If every company does this (and of course, this is a conservative example), we're talking about a gold-rush on IPv6 addresses that would exaust the non-reserved addresses trivially in the first 5 years.
Let's not be hasty, though, let's assume that we can multiplex these puppies. So, one device might be able to handle multiple servers and clients and rotate the IPs correctly using one IP space. Cool, so for each server-side device IBM buys, only one company's worth of v6 allocation need be used. That should give us another couple of years of life on the namespace.
All things considered, this is a very bad idea. Rotating through 20 addresses to confuse the issue can add some difficulty for crackers, but using "billions" of addresses will add you to my "rude Internet citizens" list.
- Your clients must all use this technology. This is fine for building a VPN, but it does nothing for building services which must be announced to the public.
- The quote: "The number of IP addresses drawn on may be in the billions thanks to an artificial increase in cyberspace, Sheymov said," makes me wonder. Are they refering to IPv6 or to private addresses? If we're talking IPv6, then I'm very concerned because I don't want to see every company on the planet sucking up billions of addresses per application. That would make the increase to 128 bits pointless. If they're talking about private addresses, you still have to map to an external address at some point, and that's your weak link.
- Since when do we expect the former head of the CIA to sell security solutions without back doors?
- On the other hand, since when do we expect the former head of the CIA to have a technical clue when endorsing products?
Color me skeptical....I hope this doesn't become too widely-used. Can you say routing nightmare?
------
Yeah, I can see how great this would work with Windows: "You have worked for 2 seconds so I am changing your IP address. Windows must be restarted in order for this change to take effect. Restart now?" :-)
All this sounds like is a time based routing mechanism nothing more, and I don't really see how changing the IP address is going to save a misconfigured machine. For one, somewhere down the line the address is going to delegate out, so if say someone is browsing via 10.10.1.16 and they're browsing say something on my server and my logs show:
198.81.129.14
"http://www.antioffline.com/cia-soviet/" "Mozilla/4.0 (compatible; MSIE 5.5;Windows NT 5.0)"
Then about one second later
198.81.129.193 "http://www.antioffline.com/cia-soviet/" "Mozilla/4.0 (compatible; MSIE 5.5;Windows NT 5.0)"
Now this is typically another visitor or whatever, but if the connections were so repetitive enough with the same browser fingerprint coming through I can probably correlate them both together by their netblocks depending on who owned the block. So unless they plan on purchasing completely obsolete netblocks like say 198.81.129.0-255 then 198.83.0.0.-255 than how do they expect to stay obscured from view? Keep in mind that there are hardly any complete netblocks to purchase in that fashion (class A s close to impossible), so what are they really planning on doing?
Now if they partnered with ISP's to snag dhcp addresses not being used from a wide variety of places, say Earthlink here, MomandPopISP there, then it'd be a plus for them however simple traceroutes, and block lookups can give you their information. (who owns the block etc)
All it sounds like is a sort of a dhcp-round-robbin-routing set up which is not going to save them still, if someone is really intent on getting access to their networks, they'd run out of address ranges before their scheme would work.
Now on the spook/snoop side of things... I say TMTOWTPGPSAM! (There's More Than One Way To Sign PGP Sign A Message) to keep info from eyes other than the intended recipient.
Want Root?
--Mike--
Sounds like a neat idea if it works but..
Closed source network hardware + Promiscuity between security layers = Lower security
So this is the latest "unbreakable" huh? I'm sure nobody at the NSA, CIA, or KGB wants to know what's in those networks too. Cute.
How do you know this isn't just opening a big fat vpn tunnel right into your company so other people can look at your network? Cuts both ways.
Oh, check out www.invicta.com -- Looks like they haven't bothered to buy up their domain for a whole year. That's confidence I suppose.. Guess there's no site to have taken down.
Another story from a year ago here.
I haven't seen anything except untechnical fluff articles and only a couple over a year. The idea of a Russian guy calling his system Latin for "Unconquered" isn't slick, it's dumb. You just need someone at their physical location, something he should know about. What idiot will trust him to install the thing?
Sounds suspicious to me.... Depending on whether the "centralized" box is really a centralized box run by his company or only a centralized-per-customer firewall-like-thing, it could be a golden opportunity for wiretapping the paranoid, or it could be just watered-down explanations given to the non-technical press by the Corporate Speaker-To-Publicists.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The concept of frequency hopping was invented by Hedy Lamarr in the 1930's. It is currently being used in several countries as a secure way of sending military orders.
The advantage of frequency hopping to IP hopping seems to be that it's (probably) harder to predict frequencies than it is to predict IP addresses. No doubt they will/have figure/d out how to allocate a large anough IP space to make a fairly secure transmission and how to sync the sender and receiver.
(...and what to do about the unused IP's... hmmm... You only really need one big pool of IP addresses for a set of computers, don't you? Then it's just a matter of juggling the IP's around and make sure every computer in the set of computers know what IP they themselves and their respective communication partner at any moment have... The more computer that are communicationg over the pool of IP's, the more secure the channel is.)
And now, let's all repeat the mantra of the day: Computers do what we tell them to do. Thus no computer system will ever be completely secure.
It's 11pm, do you know what your deamons are up to?
just use dyndns.org yourself!
- passion
If the sequence used by these cards is not completely random then observing the stream of packets from either of the two connected computers will allow one to extrapolate the formula used to sequence the address progress.
If I have the formula I need only a small ordered list of the IP addresses being used and I can predict what the next IP address will be. With that, I am in the loop.
This sounds like a glorified network card to me. This might confuse the kiddiez, but I suspect persons who use this company's products would be much better relying on very strong encryption and rigid security practices.
Get off my virtual lawn, you damned virtual kids!
I remember reading a while back now a paper on sending encrypted communications to a system using the TCP sequence number. The idea being to spoof a packet to the system under the guise of something fairly innocuous but have the real payload be encrypted and sent in the TCP sequence number or one of the other lesser used fields of the TCP packet. As far as any monitoring entity is concerned, that's just random crap coming in on the network connection.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Essentially all the computers using this "card" to communicate with the world wild web rely on firmware to be up to date and invulnerable to attacks. Not only does the card become the firewall, controlling which network services are available, it also becomes the ultimate "sitting duck" described in the article. According to the article, each client can decide how often it's ip should change and which network services it will serve. It would follow that an attacker could compromise the card by masquerading as one of the clients and actually ghost the entire website.
---
"This message is composed of 100% recycled electrons."
Are they trying to outdo one-click ordering?
In order to route IPs on the Internet, route aggregation is required. An end host isn't going to be able to switch its address amongst many different network addresses, only to different IPs in a subnet. Given that someone who wants to compromise a machine has to have a way to find/connect to it first, it is trivial to relocate a machine. Also, see if ARIN wants to assign whole blocks of IPs for machines to hop around on.
IPv6? Maybe that would make this slightly more useful. But if a machine is supposed to be accessible, you have to make it known where it is -- if it isn't accessible, then you SHOULD just put a firewall blocking all inbound traffic, and that's that.
Another day, another "revolution". *sigh*
--
--
I like to watch.
So this is "not suited for widespread deployment."
Nothing is really "completely random." When creating large sets of random numbers you usually have to rely on some algorithm to create them, which rules out the "random" bit by the definition of an algorithm.
--
Have fun: Join D.N.A. (National Dyslexics Association)
I'm assuming their solution is hardware based ("special cards"), with a star topology from the central unit. I'm sure that the special cards will not be running a variation of ethernet, but some other, more secure transport. If it is standard ethernet, the network would be switched.
The "central unit" acts as a switch / router, and allows some kind of address changing. No other hubs / switches are on the network, except perhaps between "central units"
I am assuming that reuters or yahoo is wrong, and this protocol is based on the switching of MAC addresses, rather than IP.
If so, then the whole network would have to be revamped in order to put this in place. Existing routers would most likely not be able to handle MAC switching - perhaps a software upgrade could change that though. I'm pretty sure that the company would just sell their central units as hubs / switches. Why not have a monopoly on the propriatary network that you designed?
So, while they are at it, they might as well couple this with fiber optics, with the central unit watching the strength of the signal for drops (i.e. a fiber optic tap is detectable - unlike ethernet, which can be tapped just by planting something on the cat-5 jacket (CIA $$$$ stuff) - or by cutting into the wire and installing a repeater/sniffer unit. We are talking about fairly expensive "spy" stuff either way.
If not, if the address switching is indeed IP, there would certainly be a way to sniff the network and to filter out MAC adresses from all other data being sent across the network. If the "special cards" or the network were designed to prevent sniffing, that would
Either way - it is essentially security through obsurity, but it makes life a lot harder for those trying to compromise computers - although hosting a server with this would be difficult - unless the Central unit acted as a gateway of some kind.
More info is certainly needed - if someone can post some that would really clear things up.
The slashdot 2 minute between postings limit: /.'ers since Spring 2001.
Pissing off hyper caffeineated
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
--
When all you have is a hammer, everything looks like a skull.
Of course, a centralized server would need to route which would be a major bandwidth bottleneck.
And, of course, a centralized server could also be very easily tapped by a Carnivore-like device.
I guess it could scare off a few skript kiddies though.
--I assume full responsibility for my actions, except the ones that are someone else's fault.
--I assume full responsibility for my actions, except the ones that are someone else's fault.
What happens when you get a DoS attack from a billion different IP addys? This is a two way street here.
The Blaster Master Fighting for Truth, Justice, and Evil Pie since 1979
It should be worth making a few more episodes of The Lone Gunmen to exploit it.
Invicta? Wasn't that the name of the FBI's fake company that snagged those Russian hackers?
Odd that they would have the same name...
Viv
-----------
Viv
Gmail invites for ip
Why let somebody else have all of the fun (and profits)? Create a small division and don't associate it with the rest of your company specifically designed to "break" this unbreakable scheme.
No, it was a completely fictious company that the FBI invented for this case. (But those names are rather similar. Maybe all spooks think alike?)
Maybe, but isn't this just a variant on 'security through obscurity'?
I'd have to say that this is a not-so-clasic example, and in fact a neat idea, but when it comes down to it it's still securing a system through making it difficult to find.
It's admittedly a neat technology, but it it really secure?
--CTH
--
--Got Lists? | Top 95 Star Wars Line
The real difference between the frequency-hopping analogy and reality is the simple fact that unlike FH communications, the internet is supposed to be as interoperable as possible. A Mac can look at the same web page as a Solaris box, or even Windows (if it stays up long enough, obviously, for the page to load). This is accomplished through...wait for it...well-documented and widely disseminated standards. To make the comparison with frequency-hopping systems accurate, you'd need to have all or most transciever manufacturers decide on a few standards, then agree to make all of their systems so that they work with all other ones (by adhering to the standard). And once you do that, how well do you think frequency-hopping will hide what you're saying?
For your security, this post has been encrypted with ROT-13, twice.
They keep moving around so many times a second that the bad guys can't find them. If a bad guy manages to ping an address that's a target, by the time he even types the "n" in "nmap" it's another address.
But the GOOD traffic can find them? How the hell does this thing know the difference? It sounds like they came up with a great way to hide a computer (especially if they end up trying to pretend to be someone else's IP range in the process), but they totally ignore the fundamental problem: how to tell good traffic from bad without a human having to examine it. This has to be some of the worst snake oil I have ever seen.
For your security, this post has been encrypted with ROT-13, twice.
I do a form of this all the time. My cable modem has come under attack a few times, and each time I just release and renew IPs via DHCP and let the router handle all the bandwidth. Coupled with a dynamic DNS and you have a moving target which is accessible to those who you only want it to.
Isn't this just a variation of some kind of dynamic host configuration?
Unfortuantly, in both cases, hit the control server (e.g. DHCP, trn, etc.) and the whole system is down. There is also the cavet that at some point the dynamic address must be available to the public (in my case via dynamic DNS), so if my script kiddies were smart enough, they could have had their program get my address from my DNS server and adjust their attack accordingly. Or taken down the DNS server, so I would have defeated my purpose.
In either case you shouldn't rely on security through haystack and needle methods. You can always burn the haystack if you don't care about the needle.
"I'll just chip in a bit for RedHat: I actually have that installed on my university machine." - Linus, '95
More like a moving target :)
Duck shoot ne1 :)
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
I dunno, but it seems like if you wrap a towel around your head so that you can't see your attacker, then, even if he thinks that he can't see you because you can't see him, the rest of us can still tell that you've got a towel wrapped around your head.
--Blair
'The Invicta system uses special cards to link protected computers to a central control unit. It lets clients decide how often they wish to vary IP addresses and specify which applications may be accessed on their network.'"
What they fail to mention is that their Central Control Unit is running an out-of-the-box copy of RedHat 6.0.
-
Seriously; how secure can this be if it is revolving around a single (or cluster) of control units that dictate, record, log, and monitor the IP addresses?
Sounds to me like they're selling us NSA-quality security, along with NSA-approved backdoors and line tapping capability.
-
How about this--instead of having a single control center managing the IP pool, we create a peer-to-peer network where, upon joining, you effectively 'donate' your 'IP address' (some form of tunneling/enscapulation would be in use?) to the community pool.
The network client continuously searches for a new partner to exchange addresses with, based on specified variables, and trades your address with theirs.
Instead of being a one-to-one swap, it's going to be take an address, pass it on.. the first few may be easy to track, but once you've done your 10th or 40th swap (each sequential exchange gives the new partner the address you procured in the last exchange), the paper trail is extensive.
Just a random thought, it may be effective when combined with some existing solutions.
Jason Fisher
Could this bee a hoax? I remember it was only a few weeks ago when the FBI lured two Russian crackers to come to work at a fictitious security company called "Invicta." It was a false front created to lure the crackers into US jurisdiction.
Still, I wonder about a few things. First, how can you implement time-based IP-hopping when IP is not time-dependent? That is, what happens when the connection between the two machines encounters a bit of congestion? The destination will have hopped on to a new address and the packetes will never arrive... unless there's something I'm missing.
Second, don't the packets contain things like the MAC address of the ethernet card? Are they saying that their technology either will not include this information, or switch it right along with the IP address?
As glorious as it sounds, somehow I don't see this being nearly as effective against MitM as signal-hopping with radio frequencies. With a radio scanner you would either have to monitor all available frequencies to try to put the session together or synch with the session and hop along with it, which is fairly difficult. However with packet sniffing, everything that passes is available for reading. The only way I can see this being halfway useful is if somehow every address used had a different route between the two machines, which isn't really feasible.
So... it's a nice idea I suppose but it sounds to me like it's mostly hype.
At a server? That's just stupid...how can you be got to? And if normal traffic can reach you, doesn't that invalidate the whole point?
43rd Law of Computing: