[8738] in bugtraq
ip header id patched.
daemon@ATHENA.MIT.EDU (awgn@COSMOS.IT)
Sat Dec 19 15:57:29 1998
Date: Sat, 19 Dec 1998 20:53:26 +0100
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: awgn@COSMOS.IT
To: BUGTRAQ@NETSPACE.ORG
As recently discovered, there's the way to make a sweep of ports-check
hiding the ip source.
The matter comes while ip_output.c ( in linux kernel 2.0.x ), forges and
queues
packets, using a simple ID increment.
This gives the chance to guess how many packets were sent, and as
explained
in paper about the ip header id (
http://www.geek-girl.com/bugtraq/1998_4/0609.html ),
the opportunity of ip abusing in portscanning.
To change the fixed unary step in a random one, seems to be a good fix.
Happy kernel hacking. :-)
------------------------------------------------------------------------------
--- ip_output.c. Fri Apr 17 16:42:38 1998
+++ ip_outout.c.patched Fri Apr 17 17:17:15 1998
@@ -32,2 +32,3 @@
* Juan-Mariano de Goyeneche traffic generated locally.
- */
+ * awgn roofing: to prevent _ip abuse_ as third in hscan.
+ */
@@ -42,4 +42,5 @@
#include <linux/errno.h>
#include <linux/config.h>
+#include <linux/random.h>
#include <linux/socket.h>
@@ -451,3 +451,4 @@
{
+ u_char rand_step;
unsigned int tot_len;
struct iphdr *iph;
@@ -485,3 +485,5 @@
case 1:
iph->id = htons(ip_id_count++);
+ (void) get_random_bytes(&rand_step,1);
+ ip_id_count += ( rand_step & 0x0f );
}
@@ -637,3 +637,4 @@
{
+ u_char rand_step;
struct rtable *rt;
unsigned int fraglen, maxfraglen, fragheaderlen;
@@ -754,4 +754,6 @@
iph->id=htons(ip_id_count++);
+ (void) get_random_bytes(&rand_step,1);
+ ip_id_count += ( rand_step & 0x0f );
iph->frag_off = 0;
iph->ttl=sk->ip_ttl;
iph->protocol=type;
-------------------------------------------------------------------------
awgn@cosmos.it [ we're working to make dyndns alive, again! ]
meet us: #hackers@IRCity.org
