[GUILDE RESEAU] kernel patch contre tcp scan

Page principale

Répondre à ce message
Auteur: guilde
Date:  
À: guilde
Sujet: [GUILDE RESEAU] kernel patch contre tcp scan
Bonjour ? tous,
Je suis inscrit ? la mailing list de nmap, un scanner de ports assez
interressant, et le webmaster du site (qui est aussi le leader du projet
nmap), viens de recevoir un mail plutot sympa.
En clair, si vous mettez ce patch, ben pour le port scan, c' est nickel chrome
:-))
Le gars qui vous scan vois que tout les ports sont ouverts, bref, il voit de
belles conneries :-))


-----FW: <Pine.LNX.4.04.9907191759020.29721-200000@???>-----

Date: Mon, 19 Jul 1999 18:00:55 -0400 (EDT)
From: Fyodor <fyodor@???>
To: nmap-hackers@???
Subject: nmap and a kernel patch (fwd)


I haven't actually tried this patch, but it is an interesting portscan
defense ...

---------- Forwarded message ----------
From: Salvatore Sanfilippo -antirez- <antirez@???>
To: fyodor@???
Subject: nmap and a kernel patch

Hi Fyodor,

        three days ago i've posted this message
        to bugtraq@???, maybe dropped
        by Aleph1. Anyway I think this can interest
        you.


---
Hi,

        It seems that some bugtraq readers still runs linux 2.0.3[67].
        In order to prevent SYN, FIN, Xmas, NULL tcp scan and
        maybe connect() scan (for exaple it's true with nmap,
        false with strobe) it's possible to apply this kernel patch.


        The patch change the sequence
                SYN ---> closed port
                <--- RST
        to
                SYN ---> closed port
                <--- SYN|ACK
                ACK --->
                <--- RST


        and answers RST to FIN, Xmas and NULL tcp flags even
        if the port is open like win*.


        If an attacker scans a patched host it gets all
        ports are open, to be precise it gets nothing.


bye,
antirez
---

        port scanners have different feedbacks if runs in
        different SO/kernel version.


        For example with 2.2.10 strobe will fail as nmap do.
        The problem is the connect().


        For example


                SYN --->
                <--- SYN|ACK
                ACK --->
                <--- RST


        produce this


        2.0.36


        connect()   O_NONBLOCK  return 0 connected!
        connect()       ---     return EINPROGRESS


        2.2.10


        connect()   O_NONBLOCK  return 0 connected!
        connect()       ___     retunn 0 connected!


        I think this may interest A.Cox and Linux devel.


        Patch is attached.


ciao,
antirez

-- 
Salvatore Sanfilippo - antirez -                  antirez@???
try hping: http://www.kyuzz.org/antirez           antirez@???


--------------End of forwarded message-------------------------

We are the knights who say RTFM !
diff -u -r linux/net/ipv4/tcp_input.c /usr/src/linux-2.0.36/net/ipv4/tcp_input.c
--- linux/net/ipv4/tcp_input.c    Sat Jul 17 11:21:01 1999
+++ /usr/src/linux-2.0.36/net/ipv4/tcp_input.c    Sat Jul 17 12:00:13 1999
@@ -46,6 +46,7 @@
  *                    </RANT>
  *    George Baeslack        :    SIGIO delivery on accept() bug that
  *                    affected sun jdk.
+ *    Salvatore Sanfilippo    :    Prevents SYN, FIN, Xmass, NULL scan.
  */


 #include <linux/config.h>
@@ -2464,6 +2465,12 @@
                     }
                 }
 #endif
+                tcp_send_reset(daddr,saddr,th,sk->prot,opt,dev,0, 255);
+            }
+
+            /* resets FIN, Xmas, NULL */
+            if (!th->syn && !th->ack && !th->rst && ip_chk_addr(daddr)==IS_MYADDR)
+            {
                 tcp_send_reset(daddr,saddr,th,sk->prot,opt,dev,0, 255);
             }


diff -u -r linux/net/ipv4/tcp_output.c /usr/src/linux-2.0.36/net/ipv4/tcp_output.c
--- linux/net/ipv4/tcp_output.c    Sat Jul 17 11:21:01 1999
+++ /usr/src/linux-2.0.36/net/ipv4/tcp_output.c    Sat Jul 17 11:56:35 1999
@@ -759,7 +759,7 @@
     t1->source = th->dest;
     t1->doff = sizeof(*t1)/4;
     t1->rst = 1;
-  
+
     if(th->ack)
     {
           t1->seq = th->ack_seq;
@@ -770,7 +770,15 @@
           if(!th->syn)
             t1->ack_seq = th->seq;
         else
+        {
             t1->ack_seq = htonl(ntohl(th->seq)+1);
+            /* send bogus syn/ack */
+            t1->rst = 0;
+            t1->syn = 1;
+            t1->ack = 1;
+            if (th->fin)
+                t1->fin = 1; /* as 2.0.3x we answer SAF */
+        }
     }


     tcp_send_check(t1, saddr, daddr, sizeof(*t1), buff);