[11076] in bugtraq
to prevert port scanning in linux 2.0.x
daemon@ATHENA.MIT.EDU (Salvatore Sanfilippo -antirez-)
Tue Jul 20 13:30:50 1999
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=FCuugMFkClbJLl1L
Message-Id: <19990717124819.A457@speedcom.it>
Date: Sat, 17 Jul 1999 12:48:19 +0200
Reply-To: antirez@speedcom.it
From: Salvatore Sanfilippo -antirez- <antirez@SPEEDCOM.IT>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=us-ascii
Hi,
It seems that some bugtraq readers still runs linux 2.0.3[67].
In order to prevent SYN, FIN, Xmas, NULL tcp scan and
maybe connect() scan (for exaple it's true with nmap,
false with strobe) it's possible to apply this kernel patch.
This stupid patch change the sequence
SYN ---> closed port
<--- RST
to
SYN ---> closed port
<--- SYN|ACK
ACK --->
<--- RST
and answers RST to FIN, Xmas and NULL tcp flags even
if the port is open, like win*.
If an attacker scans a patched host it gets all
ports are open, so it gets nothing.
The patch is tested on linux 2.0.36, maybe it's
good even for 2.0.37.
bye,
antirez
--
Salvatore Sanfilippo - antirez - antirez@alicomitalia.it
try hping: http://www.kyuzz.org/antirez antirez@speedcom.it
--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=antiscan-patch
diff -u -r linux/net/ipv4/tcp_input.c /usr/src/linux-2.0.36/net/ipv4/tcp_input.c
--- linux/net/ipv4/tcp_input.c Sat Jul 17 11:21:01 1999
+++ /usr/src/linux-2.0.36/net/ipv4/tcp_input.c Sat Jul 17 12:00:13 1999
@@ -46,6 +46,7 @@
* </RANT>
* George Baeslack : SIGIO delivery on accept() bug that
* affected sun jdk.
+ * Salvatore Sanfilippo : Prevents SYN, FIN, Xmass, NULL scan.
*/
#include <linux/config.h>
@@ -2464,6 +2465,12 @@
}
}
#endif
+ tcp_send_reset(daddr,saddr,th,sk->prot,opt,dev,0, 255);
+ }
+
+ /* resets FIN, Xmas, NULL */
+ if (!th->syn && !th->ack && !th->rst && ip_chk_addr(daddr)==IS_MYADDR)
+ {
tcp_send_reset(daddr,saddr,th,sk->prot,opt,dev,0, 255);
}
diff -u -r linux/net/ipv4/tcp_output.c /usr/src/linux-2.0.36/net/ipv4/tcp_output.c
--- linux/net/ipv4/tcp_output.c Sat Jul 17 11:21:01 1999
+++ /usr/src/linux-2.0.36/net/ipv4/tcp_output.c Sat Jul 17 11:56:35 1999
@@ -759,7 +759,7 @@
t1->source = th->dest;
t1->doff = sizeof(*t1)/4;
t1->rst = 1;
-
+
if(th->ack)
{
t1->seq = th->ack_seq;
@@ -770,7 +770,15 @@
if(!th->syn)
t1->ack_seq = th->seq;
else
+ {
t1->ack_seq = htonl(ntohl(th->seq)+1);
+ /* send bogus syn/ack */
+ t1->rst = 0;
+ t1->syn = 1;
+ t1->ack = 1;
+ if (th->fin)
+ t1->fin = 1; /* as 2.0.3x we answer SAF */
+ }
}
tcp_send_check(t1, saddr, daddr, sizeof(*t1), buff);
--FCuugMFkClbJLl1L--
