Linux User Group of Mauritius Promoting open source software in our beautiful island

14Dec/150

BCP38 and Orange (Part I)

Posted by logan

No stats on BCP-38

I sent a mail this morning to query about the status of BCP38 in Mauritius & Africa on the afnog mailing list. I could not get any statistics concerning the adoption of BCP38 in Mauritius & Africa. After discussing the matter with various hackers.mu and SM (of the Mauritius Internet Users), I decided to look around for tools that help to measure source address validation measures from Orange, my ISP.

What is BCP-38 ?

BCP-38 is a recommended Internet Standard that essentially aims at eliminating Source Address Spoofing. This has been the cause of a lot of trouble lately on the Internet. A few days ago, A massive DDOS attack was launched againt the DNS infrastructure of the Internet. Had BCP-38 been implemented all over the world, we would see less of those attacks. Those attacks are crippling to the Internet, as almost any service (facebook, twitter, instagram) relies on DNS to work so that users can reach them.

Orange and BCP-38

I found a nice tool known as spoofer, which is part of a University project that aims at profiling the deployment of BCP-38 across the Internet. After installing the tool, i fired it on another terminal :)
>> CAIDA IP Spoofing Tester v0.8d
>> http://spoofer.caida.org/
>> Copyright 2015 The Regents of the University of California
>> Copyright 2004-2009 Rob Beverly

The results

After running the test for a while, It gives you a URL which gives you a summary. Quoting from my URL :
Test run at: 2015-12-14 08:41:05
Test from: 41.136.242.104
Test OS: LINUX
Sourced Probes: 93
Can spoof private address no
Can spoof routable address no
Largest neighbor prefix that can be spoofed none

Conclusion

Surprisingly, Orange(Mauritius) seems to implement BCP-38. However, It might also be my router which is filtering spoofed addresses from my machine. Tomorrow, I will use a standard modem, and later I will hook it directly. My test tomorrow might reveal some interesting issues :)

Filed under: sav No Comments
14Dec/150

nsd & crypto improvement

Posted by logan

NSD

NSD is an open source implementation of an authoritative DNS server. It has a very good security record, and lower memory usage compared to ISC BIND. As part of hackers.mu quest to make the Internet better, we decided to look into NSD's crypto related parts, and see how we can improve it for all of the NSD users in Mauritius.

We came across cases of modulo biases in the form of arc4random() % foo. From a mathematical point of view, this causes a bias, causing the randomization to be slightly less random. This is NOT good :). Our patch uses arc4random_uniform() which is an iterative solution which reduces modulo bias. NSD took our patch and committed it:
10 December 2015: Wouter
- 4.1.7 release
- trunk has 4.1.8 in development.
- take advantage of arc4random_uniform if available, patch from Loganaden Velvindron.


Another small step to make the Internet more secure :)

Filed under: nsd No Comments
14Dec/150

nsd & crypto improvement

Posted by logan

NSD

NSD is an open source implementation of an authoritative DNS server. It has a very good security record, and lower memory usage compared to ISC BIND. As part of hackers.mu quest to make the Internet better, we decided to look into NSD's crypto related parts, and see how we can improve it for all of the NSD users in Mauritius.

We came across cases of modulo biases in the form of arc4random() % foo. From a mathematical point of view, this causes a bias, causing the randomization to be slightly less random. This is NOT good :). Our patch uses arc4random_uniform() which is an iterative solution which reduces modulo bias. NSD took our patch and committed it:
10 December 2015: Wouter
- 4.1.7 release
- trunk has 4.1.8 in development.
- take advantage of arc4random_uniform if available, patch from Loganaden Velvindron.


Another small step to make the Internet more secure :)

Filed under: nsd No Comments
11Dec/150

Tor hardened memory allocator improvement

Posted by logan

Tor's Hardened memory allocator

Tor supports a hardened memory allocator from the OpenBSD project. OpenBSD's memory allocator was designed to be heavily randomized. During the porting effort to make OpenBSD's malloc work on Tor & non-OpenBSD platforms, arc4random() was replaced by rand(). A modulo bias is introduced by using "rand() % bp->free". To reduce modulo bias, hackers.mu sent a patch to the Tor project. Ideally, we would be happy to see tor ship with an arc4random_uniform() implementation from OpenBSD. arc4random_uniform() was designed to eliminate modulo biases.
Geeky details here.

Filed under: tor No Comments
10Dec/150

Tor & randomization

Posted by logan

Introduction to Tor

Tor is a piece of software which is used to remain anonymous on the Internet. Users can connect to the Tor Network, and all of their traffic is "hidden". Tor is used by several group of people: journalists living in China, Police Officers for Undercover operations, whistleblowers, human right activists, and even military officers who are on remote mission.

Mauritius & Privacy

In Mauritius, none of the local ISPs have made a public statement for protecting the privacy of their users. This means that the Internet traffic of Mauritians is probably monitored. ICTA has a blackbox which supposedly blocks only child pornography. We do not know what else it can do. Hackers.mu (a group of Ninjas living in Mauritius) publicly encourages Internet Users in Mauritius to adopt Tor, particularly for visiting sensitive websites such as political parties, making comments on forums against the government, and also making the truth known. We encourage civil servants who would like to disclose sensitive documents to use TOR.

Improving Tor

On UNIX/Linux systems, Tor relies on the Operating System to provide it with a random source of data. It's generally /dev/random. However, opening /dev/random implies keeping a file descriptor open throughout the course of execution of tor. If someone sandboxes tor for security, this weakens the sandbox. Someone who compromises a tor process can close the file descriptor for /dev/random, and open another file which is outside of the sandbox. Hackers.mu sent a patch to the tor project which takes advantage of a new API on Linux, which opens the random source in tor without the need for a file descriptor. This in turns leads to tighter sandboxing on tor, and therefore improves the security & privacy of tor users. A different patch by Y. Angel was committed to Tor to take advantage of the new API on Linux.

Adoption of Tor

It is our aim that Mauritian users adopt tor to protect their online privacy, and we will continue to work on improving the code to protect your privacy online! Happy Tor :)

Filed under: tor No Comments
10Dec/150

Tor & randomization

Posted by logan

Introduction to Tor

Tor is a piece of software which is used to remain anonymous on the Internet. Users can connect to the Tor Network, and all of their traffic is "hidden". Tor is used by several group of people: journalists living in China, Police Officers for Undercover operations, whistleblowers, human right activists, and even military officers who are on remote mission.

Mauritius & Privacy

In Mauritius, none of the local ISPs have made a public statement for protecting the privacy of their users. This means that the Internet traffic of Mauritians is probably monitored. ICTA has a blackbox which supposedly blocks only child pornography. We do not know what else it can do. Hackers.mu (a group of Ninjas living in Mauritius) publicly encourages Internet Users in Mauritius to adopt Tor, particularly for visiting sensitive websites such as political parties, making comments on forums against the government, and also making the truth known. We encourage civil servants who would like to disclose sensitive documents to use TOR.

Improving Tor

On UNIX/Linux systems, Tor relies on the Operating System to provide it with a random source of data. It's generally /dev/random. However, opening /dev/random implies keeping a file descriptor open throughout the course of execution of tor. If someone sandboxes tor for security, this weakens the sandbox. Someone who compromises a tor process can close the file descriptor for /dev/random, and open another file which is outside of the sandbox. Hackers.mu sent a patch to the tor project which takes advantage of a new API on Linux, which opens the random source in tor without the need for a file descriptor. This in turns leads to tighter sandboxing on tor, and therefore improves the security & privacy of tor users. A different patch by Y. Angel was committed to Tor to take advantage of the new API on Linux.

Adoption of Tor

It is our aim that Mauritian users adopt tor to protect their online privacy, and we will continue to work on improving the code to protect your privacy online! Happy Tor :)

Filed under: tor No Comments