deattack.c revision 1.2
1/* $NetBSD: deattack.c,v 1.2 2009/06/07 22:38:46 christos Exp $ */ 2/* $OpenBSD: deattack.c,v 1.30 2006/09/16 19:53:37 djm Exp $ */ 3/* 4 * Cryptographic attack detector for ssh - source code 5 * 6 * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. 7 * 8 * All rights reserved. Redistribution and use in source and binary 9 * forms, with or without modification, are permitted provided that 10 * this copyright notice is retained. 11 * 12 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 13 * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE 14 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR 15 * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS 16 * SOFTWARE. 17 * 18 * Ariel Futoransky <futo@core-sdi.com> 19 * <http://www.core-sdi.com> 20 */ 21 22#include "includes.h" 23__RCSID("$NetBSD: deattack.c,v 1.2 2009/06/07 22:38:46 christos Exp $"); 24#include <sys/types.h> 25 26#include <string.h> 27#include <stdio.h> 28#include <stdarg.h> 29#include <time.h> 30 31#include "xmalloc.h" 32#include "deattack.h" 33#include "log.h" 34#include "crc32.h" 35#include "misc.h" 36 37/* 38 * CRC attack detection has a worst-case behaviour that is O(N^3) over 39 * the number of identical blocks in a packet. This behaviour can be 40 * exploited to create a limited denial of service attack. 41 * 42 * However, because we are dealing with encrypted data, identical 43 * blocks should only occur every 2^35 maximally-sized packets or so. 44 * Consequently, we can detect this DoS by looking for identical blocks 45 * in a packet. 46 * 47 * The parameter below determines how many identical blocks we will 48 * accept in a single packet, trading off between attack detection and 49 * likelihood of terminating a legitimate connection. A value of 32 50 * corresponds to an average of 2^40 messages before an attack is 51 * misdetected 52 */ 53#define MAX_IDENTICAL 32 54 55/* SSH Constants */ 56#define SSH_MAXBLOCKS (32 * 1024) 57#define SSH_BLOCKSIZE (8) 58 59/* Hashing constants */ 60#define HASH_MINSIZE (8 * 1024) 61#define HASH_ENTRYSIZE (2) 62#define HASH_FACTOR(x) ((x)*3/2) 63#define HASH_UNUSEDCHAR (0xff) 64#define HASH_UNUSED (0xffff) 65#define HASH_IV (0xfffe) 66 67#define HASH_MINBLOCKS (7*SSH_BLOCKSIZE) 68 69 70/* Hash function (Input keys are cipher results) */ 71#define HASH(x) get_u32(x) 72 73#define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) 74 75static void 76crc_update(u_int32_t *a, u_int32_t b) 77{ 78 b ^= *a; 79 *a = ssh_crc32((u_char *)&b, sizeof(b)); 80} 81 82/* detect if a block is used in a particular pattern */ 83static int 84check_crc(u_char *S, u_char *buf, u_int32_t len) 85{ 86 u_int32_t crc; 87 u_char *c; 88 89 crc = 0; 90 for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { 91 if (!CMP(S, c)) { 92 crc_update(&crc, 1); 93 crc_update(&crc, 0); 94 } else { 95 crc_update(&crc, 0); 96 crc_update(&crc, 0); 97 } 98 } 99 return (crc == 0); 100} 101 102 103/* Detect a crc32 compensation attack on a packet */ 104int 105detect_attack(u_char *buf, u_int32_t len) 106{ 107 static u_int16_t *h = (u_int16_t *) NULL; 108 static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; 109 u_int32_t i, j; 110 u_int32_t l, same; 111 u_char *c; 112 u_char *d; 113 114 if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) || 115 len % SSH_BLOCKSIZE != 0) { 116 fatal("detect_attack: bad length %d", len); 117 } 118 for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2) 119 ; 120 121 if (h == NULL) { 122 debug("Installing crc compensation attack detector."); 123 h = (u_int16_t *) xcalloc(l, HASH_ENTRYSIZE); 124 n = l; 125 } else { 126 if (l > n) { 127 h = (u_int16_t *)xrealloc(h, l, HASH_ENTRYSIZE); 128 n = l; 129 } 130 } 131 132 if (len <= HASH_MINBLOCKS) { 133 for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { 134 for (d = buf; d < c; d += SSH_BLOCKSIZE) { 135 if (!CMP(c, d)) { 136 if ((check_crc(c, buf, len))) 137 return (DEATTACK_DETECTED); 138 else 139 break; 140 } 141 } 142 } 143 return (DEATTACK_OK); 144 } 145 memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE); 146 147 for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { 148 for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; 149 i = (i + 1) & (n - 1)) { 150 if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) { 151 if (++same > MAX_IDENTICAL) 152 return (DEATTACK_DOS_DETECTED); 153 if (check_crc(c, buf, len)) 154 return (DEATTACK_DETECTED); 155 else 156 break; 157 } 158 } 159 h[i] = j; 160 } 161 return (DEATTACK_OK); 162} 163