Monday, January 07, 2008

First release of my 'shimmer' project

A couple of months ago I blogged about a system for open and closing ports based on a crytographic algorithm that makes it hard for an attacker to guess the right port. It's a sort of port knocking scheme that I called C3PO.

Many commentators via email or on the blog and in other forums requested that I open source the code. I couldn't do that because the code was a nasty hack put together for my machine, but I gone one better.

Today I'm releasing the first version of shimmer. shimmer is completely new, GPL-licensed code, implementing my original idea. Read more about it on the site.

Hit the right port and you're in, hit the wrong one and your blacklisted. Ports change every 60 seconds.


Rennie said...


I just discovered your "shimmer" security system from an article on slashdot. I am a former student of Dr. John Aycock at the University of Calgary and the author of a couple papers on port knocking and related topics.

If I understand your design correctly, of the 16 ports that shimmerd opens for each minute, one maps directly to the protected service, and 15 cause the connecting IP address to be blacklisted for 15 minutes. To successfully connect to the protected service, one needs only to identify the redirected port. Three such sets of 16 ports are open at any given time.

This design offers very weak security. If an attacker performs a port scan on a host running shimmer, it has a 1/16 chance of finding a redirected port before one of the blacklist ports. Assuming that the order of ports on each port scan is random, an attacker will have a >50% chance of success after 11 scans. Due to blacklisting, this would take 2.5 hours on a single machine. However, if the attacker has access to multiple source IP addresses, it could run scans in parallel. With 100 IP addresses, an attacker has a ~99.8% chance of success in the time required to run a single port scan (i.e., a few minutes at most). By comparison, a well-designed cryptographic port knocking or SPA scheme (such as your "tumbler" system) requires years to break by brute force.

As it stands, shimmer has one advantage over tumbler (assuming that I remember correctly how tumber works; it's been a while since I investigated it), in that the "authentication" message is logically linked to the connection to the protected port. However, its authentication system is so weak as to be essentially useless, so I don't see any good reasons to use Shimmer in its current form. (Unless you've identified some use case that I haven't considered?) If you wish to re-design this system to use a more robust authentication mechanism, you may want to take a look at these papers:

Paul Barham et al. Techniques for Lightweight Concealment and Authentication in IP Networks. Intel Research tech. rep. IRB-TR-02-009, July 2002. (

Rennie deGraaf. Enhancing Firewalls: Conveying User and Application Identification to Network Firewalls. Computer Science MSc thesis, University of Calgary, May 2007. (

Eugene Vasserman et al. Practical, Provably Undetectable Authentication. Proc. ESORICS 2007 (LNCS 4734), September 2007. (

Feel free to contact me if you have any questions or comments.

Rennie deGraaf

AlecMuffett said...

I have to agree with the previous commenter where he writes:

With 100 IP addresses, an attacker has a ~99.8% chance of
success in the time required to run a single port scan (i.e., a
few minutes at most). By comparison, a well-designed
cryptographic port knocking or SPA scheme (such as your "tumbler"
system) requires years to break by brute force.

...etc, for he is citing exactly the same sort of problem that
has plagued me in the arena of centralised password
authentication (and the foolishness of "three strikes" lockout
which I wrote up at

However, "shimmer" has a few things going in its favour:

1) it's a cute hack :-)

2) if someone wants to use a botnet of 100+ machines to break
into a SSH daemon running on my desktop at the end of a DSL line,
then I probably have more things to worry about than whether that
improves their chances of guessing my passphrase. DDoS, for

OTOH if some twit on their 1337 windows XP box decides to nmap
me, I'm more than happy to block the little twerp.

I'm not sure if I'd go to the lengths to set it up properly, but
I am glad you've had the idea and moreso that you've published.

Keep up the good work, and don't be disheartened by the purists.
They're just envious that they lack creativity. :-)

Alec Muffett,

J.D. said...

Didn't I see this on Star Trek a while back?

Brad said...

While Rennie's comments are true, I think he's missing the point here.

Shimmer is not meant to be an end all solution. It's certainly not meant to replace port knocking. It's not meant to defend against an attacker who can simultaneously scan your box from 100 IPs!

What is it meant for? Well, it's meant for the script kiddie, the casual attacker, simple port scanners, the opportunists, etc. These people have no business connecting to my server at all, and I'd be happy to ban them. It's part of a system of defense in depth. It's sort of akin to the function of an IPS, detect an intruder and take some sort of automated action against him.

Calling it "essentially useless" is crass and short sighted. I think it has alot of potential. Especially if you made the ban longer (maybe even permanent if that were acceptable in your would fine be for my personal use).