Having just seen the abacus project and its method of detecting and masking strobes in user-space, and from the advice of a friend, I thought I'd mention to yall that about 7 months ago, I wrote a patch to the linux kernel to do most of what the abacus project is claiming to do now. I didn't really announce it to any security lists/groups before now. Although its a kernel patch, I believe its a much cleaner way to do strobe protection on linux and masking them if you don't mind the patching thingy. This way, I can utilize the kernels TCP/IP existingstate machine and don't have to have a separate userspace process reimplement it and poll packets coming in. Anyway, this patch does a few things in its 4kbytes entirety :-) * detects all forms of strobes (including stealth strobes AND UDP strobes) using a heuristic based on the rate of refused connections/bad packets coming in. (works to detect all strobes I've seen: nmap, strobe, tcpscan...) * logs all strobe attempts * when a TCP or UDP strobe is detected, start refusing all connections from this IP until attempts have stopped for a specifed amount of time. * log all TCP connection accepts in a form containing ip, port, uid of accepting process and accepting process name and pid. For example: Jul 1 00:19:20 redsecret kernel: TCP connection accepted: ip=127.0.0.1 port=22 uid=0 process=sshd[263] * log unexpected packets with their syn,fin,ack,and rst flags * log rejected UDP packets (no logging accepted UDP packets cause thats crazy) * log common ICMP packets So basically, when someone strobes you, you look like a Macintosh. Up till now, I thought I was wasting energy writing this thing, and still think that this sort of thing is kind of a waste of time, I wrote it for fun and fun only. I do not claim to be a security professional, just a tinkerer, so use at your own risk. I personally have been running this thing for 7 months now, and its got its share of torture testing by me, and seems relatively stable. This patch works on the 2.0.x kernels and there isn't one for 2.1.x yet either. (mainly because I don't run the 2.1.x's on my personal machine) When that day comes, you can expect a new patch, but until then, everyones free to get it to work on their 2.1.x kernel and send me the patch ;-) It should be really easy. So, if you wanna give it a try (and tell me of success/failures/suggestions) its at: ftp://isufug.ee.iastate.edu/pub/ktcpd http://isufug.ee.iastate.edu/~joff ~Jesse Off <joffat_private>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:01:24 PDT