On Tue, 19 Mar 2002, Charles-Edouard Ruault wrote: > Hi, > > now that you're bringing the subject on the table, i'll follow up with a > small bug i've discovered yesterday ... > On Linux you can "customize" the default ttl that will be used in all > the IP packets that the box will be sending ( using > /proc/sys/net/ipv4/ip_default_ttl ) > . One of the main reasons to do that , as it has been said in many > articles, is to make your machine a little bit more difficult to > fingerprint. > However, while playing with this feature, i've discovered that the > current kernel ( 2.4.18 ) and probably earlier versions, don't use this > default value when generating the following packets : > > - ICMP reply ( of any kind ) > - TCP RST . > > Therefore, changing the ip_default_ttl on a standard kernel might do the > opposite of what you're trying to achieve : make it much easier for an > attacker to fingerprint your os.... > > I've written a small patch ( against kernel 2.4.18 ) that fixes this > behaviour. I'm attaching it to this email ( i've also posted in on the > linux-kernel mailing list ). > comments are welcome. > The policy is : - for normal packets : have a small TTL. Every point is easily reachable in less that 64 hops. If you reach 64, you are in a loop, so die as soon as possible not to congestion the network. - for control packets (packets that signal errors), you must deliver your information at any price. And as we are in an error situation, the 1st rule doesn't apply. Thus, that makes sense to separate these two kinds of packets. Maybe a separate default_ip_error_ttl could make a better patch. Cheers! -- Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité Security Consultant/R&D http://www.cartel-securite.fr Phone: +33 1 44 06 97 94 Fax: +33 1 44 06 97 99 PGP KeyID:3D9A43E2 FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2
This archive was generated by hypermail 2b30 : Tue Apr 02 2002 - 22:51:39 PST