--FCuugMFkClbJLl1L Content-Type: text/plain; charset=us-ascii Hi, It seems that some bugtraq readers still runs linux 2.0.3[67]. In order to prevent SYN, FIN, Xmas, NULL tcp scan and maybe connect() scan (for exaple it's true with nmap, false with strobe) it's possible to apply this kernel patch. This stupid patch change the sequence SYN ---> closed port <--- RST to SYN ---> closed port <--- SYN|ACK ACK ---> <--- RST and answers RST to FIN, Xmas and NULL tcp flags even if the port is open, like win*. If an attacker scans a patched host it gets all ports are open, so it gets nothing. The patch is tested on linux 2.0.36, maybe it's good even for 2.0.37. bye, antirez -- Salvatore Sanfilippo - antirez - antirezat_private try hping: http://www.kyuzz.org/antirez antirezat_private --FCuugMFkClbJLl1L Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=antiscan-patch diff -u -r linux/net/ipv4/tcp_input.c /usr/src/linux-2.0.36/net/ipv4/tcp_input.c --- linux/net/ipv4/tcp_input.c Sat Jul 17 11:21:01 1999 +++ /usr/src/linux-2.0.36/net/ipv4/tcp_input.c Sat Jul 17 12:00:13 1999 @@ -46,6 +46,7 @@ * </RANT> * George Baeslack : SIGIO delivery on accept() bug that * affected sun jdk. + * Salvatore Sanfilippo : Prevents SYN, FIN, Xmass, NULL scan. */ #include <linux/config.h> @@ -2464,6 +2465,12 @@ } } #endif + tcp_send_reset(daddr,saddr,th,sk->prot,opt,dev,0, 255); + } + + /* resets FIN, Xmas, NULL */ + if (!th->syn && !th->ack && !th->rst && ip_chk_addr(daddr)==IS_MYADDR) + { tcp_send_reset(daddr,saddr,th,sk->prot,opt,dev,0, 255); } diff -u -r linux/net/ipv4/tcp_output.c /usr/src/linux-2.0.36/net/ipv4/tcp_output.c --- linux/net/ipv4/tcp_output.c Sat Jul 17 11:21:01 1999 +++ /usr/src/linux-2.0.36/net/ipv4/tcp_output.c Sat Jul 17 11:56:35 1999 @@ -759,7 +759,7 @@ t1->source = th->dest; t1->doff = sizeof(*t1)/4; t1->rst = 1; - + if(th->ack) { t1->seq = th->ack_seq; @@ -770,7 +770,15 @@ if(!th->syn) t1->ack_seq = th->seq; else + { t1->ack_seq = htonl(ntohl(th->seq)+1); + /* send bogus syn/ack */ + t1->rst = 0; + t1->syn = 1; + t1->ack = 1; + if (th->fin) + t1->fin = 1; /* as 2.0.3x we answer SAF */ + } } tcp_send_check(t1, saddr, daddr, sizeof(*t1), buff); --FCuugMFkClbJLl1L--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:45 PDT