to prevert port scanning in linux 2.0.x

From: Salvatore Sanfilippo -antirez- (antirezat_private)
Date: Sat Jul 17 1999 - 03:48:19 PDT

Next message: Nobuo Miwa: "IIS respond private address"

Previous message: SGI Security Coordinator: "SGI arrayd default security configuration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=us-ascii

Hi,

	It seems that some bugtraq readers still runs linux 2.0.3[67].
	In order to prevent SYN, FIN, Xmas, NULL tcp scan and
	maybe connect() scan (for exaple it's true with nmap,
	false with strobe) it's possible to apply this kernel patch.

	This stupid patch change the sequence
		SYN ---> closed port
		<--- RST
	to
		SYN ---> closed port
		<--- SYN|ACK
		ACK --->
		<--- RST

	and answers RST to FIN, Xmas and NULL tcp flags even
	if the port is open, like win*.

	If an attacker scans a patched host it gets all
	ports are open, so it gets nothing.

	The patch is tested on linux 2.0.36, maybe it's
	good even for 2.0.37.

bye,
antirez

--
Salvatore Sanfilippo - antirez -                  antirezat_private
try hping: http://www.kyuzz.org/antirez           antirezat_private

--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=antiscan-patch

diff -u -r linux/net/ipv4/tcp_input.c /usr/src/linux-2.0.36/net/ipv4/tcp_input.c
--- linux/net/ipv4/tcp_input.c	Sat Jul 17 11:21:01 1999
+++ /usr/src/linux-2.0.36/net/ipv4/tcp_input.c	Sat Jul 17 12:00:13 1999
@@ -46,6 +46,7 @@
  *					</RANT>
  *	George Baeslack		:	SIGIO delivery on accept() bug that
  *					affected sun jdk.
+ *	Salvatore Sanfilippo	:	Prevents SYN, FIN, Xmass, NULL scan.
  */

 #include <linux/config.h>
@@ -2464,6 +2465,12 @@
 					}
 				}
 #endif
+				tcp_send_reset(daddr,saddr,th,sk->prot,opt,dev,0, 255);
+			}
+
+			/* resets FIN, Xmas, NULL */
+			if (!th->syn && !th->ack && !th->rst && ip_chk_addr(daddr)==IS_MYADDR)
+			{
 				tcp_send_reset(daddr,saddr,th,sk->prot,opt,dev,0, 255);
 			}

diff -u -r linux/net/ipv4/tcp_output.c /usr/src/linux-2.0.36/net/ipv4/tcp_output.c
--- linux/net/ipv4/tcp_output.c	Sat Jul 17 11:21:01 1999
+++ /usr/src/linux-2.0.36/net/ipv4/tcp_output.c	Sat Jul 17 11:56:35 1999
@@ -759,7 +759,7 @@
 	t1->source = th->dest;
 	t1->doff = sizeof(*t1)/4;
 	t1->rst = 1;
-
+
 	if(th->ack)
 	{
 	  	t1->seq = th->ack_seq;
@@ -770,7 +770,15 @@
 	  	if(!th->syn)
 			t1->ack_seq = th->seq;
 		else
+		{
 			t1->ack_seq = htonl(ntohl(th->seq)+1);
+			/* send bogus syn/ack */
+			t1->rst = 0;
+			t1->syn = 1;
+			t1->ack = 1;
+			if (th->fin)
+				t1->fin = 1; /* as 2.0.3x we answer SAF */
+		}
 	}

 	tcp_send_check(t1, saddr, daddr, sizeof(*t1), buff);

--FCuugMFkClbJLl1L--

Next message: Nobuo Miwa: "IIS respond private address"
Previous message: SGI Security Coordinator: "SGI arrayd default security configuration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:45 PDT