At 11:22 PM 1/17/00 -0600, Simple Nomad wrote: >This and all other TCP stealth scans can be eliminated by modification to >most open source kernels. By adding code to the parts of the kernel that >handle TCP input, you can look to see if a packet is a part of an existing >conversation. If not, drop it (and perhaps log it). Allow the regular SYN >packets to be handled by other methods, such as TCP wrappers, firewall >code (ipfwadm, ipchains), etc. Win2k has an interesting couple of new APIs listed in the DDK under networking that enable one to construct packet filters that do arbitrary things. It wouldn't be much trouble to build something that would maintain state and deal with this sort of thing appropriately. The only gotcha is that it is above the reassembly layer - but you can inspect or drop everything that passes through that point. Another fun thing to do to an attacker is to send them back host or network unreachables instead of RST - some stacks will drop all connections to a host if it sends them one of those, which is why you're supposed to send the RSTs in the first place. Standard warnings about allowing denial of service attacks due to spoofed packets assumed, so YMMV, and play at your own risk. I keep meaning to write myself one just for fun, but haven't had time. You'd need the Win2k release DDK to play with it - it didn't show up in public until just before RTM, so if you've got beta DDKs, it won't be there. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:04 PDT