Monday, December 22, 2008

SSHv2 trickery

Current SSHv2 implementations suffer from a 'vulnerability' that allows traffic analysis
to match incoming and outgoing connections from a box. In case you use a SSH shell
on some box for anonymity before you SSH to some other box, a global observer
may correlate the traffic on the end-box and the box in between to find out
who actually connected to the end-box. Especially by observing packet sizes
and time differences of the connection, it is possible to see when something is typed
and what amount of output comes back. This works no matter of how many
hops are in between. It is then possible to finally find out the originating IP address.
SSHv2 specification was not really designed for anonymity or measures against
advanced traffic analysis, even if they have SSH_MSG_IGNORE packets.
I wrote a patch that adds constant delay and packet-size to the connection no matter
whether something is typed and how much is done one the connection.
You can find it here.