As recently discovered, there's the way to make a sweep of ports-check hiding the ip source. The matter comes while ip_output.c ( in linux kernel 2.0.x ), forges and queues packets, using a simple ID increment. This gives the chance to guess how many packets were sent, and as explained in paper about the ip header id ( http://www.geek-girl.com/bugtraq/1998_4/0609.html ), the opportunity of ip abusing in portscanning. To change the fixed unary step in a random one, seems to be a good fix. Happy kernel hacking. :-) ------------------------------------------------------------------------------ --- ip_output.c. Fri Apr 17 16:42:38 1998 +++ ip_outout.c.patched Fri Apr 17 17:17:15 1998 @@ -32,2 +32,3 @@ * Juan-Mariano de Goyeneche traffic generated locally. - */ + * awgn roofing: to prevent _ip abuse_ as third in hscan. + */ @@ -42,4 +42,5 @@ #include <linux/errno.h> #include <linux/config.h> +#include <linux/random.h> #include <linux/socket.h> @@ -451,3 +451,4 @@ { + u_char rand_step; unsigned int tot_len; struct iphdr *iph; @@ -485,3 +485,5 @@ case 1: iph->id = htons(ip_id_count++); + (void) get_random_bytes(&rand_step,1); + ip_id_count += ( rand_step & 0x0f ); } @@ -637,3 +637,4 @@ { + u_char rand_step; struct rtable *rt; unsigned int fraglen, maxfraglen, fragheaderlen; @@ -754,4 +754,6 @@ iph->id=htons(ip_id_count++); + (void) get_random_bytes(&rand_step,1); + ip_id_count += ( rand_step & 0x0f ); iph->frag_off = 0; iph->ttl=sk->ip_ttl; iph->protocol=type; ------------------------------------------------------------------------- awgnat_private [ we're working to make dyndns alive, again! ] meet us: #hackersat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:25:17 PDT