[24927] in bugtraq
Re: Identifying Kernel 2.4.x based Linux machines using UDP
daemon@ATHENA.MIT.EDU (Phil)
Wed Apr 3 01:51:27 2002
Date: Fri, 29 Mar 2002 18:33:18 +0100 (CET)
From: Phil <biondi@cartel-securite.fr>
To: ce@ruault.com
Cc: Ofir Arkin <ofir@stake.com>, bugtraq <bugtraq@securityfocus.com>
In-Reply-To: <3C978CD1.8020100@724.com>
Message-ID: <Pine.LNX.4.43.0203291824360.1270-101000@deneb.intranet.cartel-securite.fr>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY=------------040005020100050706060802
Content-ID: <Pine.LNX.4.43.0203291829480.1270@deneb.intranet.cartel-securite.fr>
--------------040005020100050706060802
Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-15; FORMAT=flowed
Content-Transfer-Encoding: 8BIT
Content-ID: <Pine.LNX.4.43.0203291824362.1270@deneb.intranet.cartel-securite.fr>
On Tue, 19 Mar 2002, Charles-Edouard Ruault wrote:
> Hi,
>
> now that you're bringing the subject on the table, i'll follow up with a
> small bug i've discovered yesterday ...
> On Linux you can "customize" the default ttl that will be used in all
> the IP packets that the box will be sending ( using
> /proc/sys/net/ipv4/ip_default_ttl )
> . One of the main reasons to do that , as it has been said in many
> articles, is to make your machine a little bit more difficult to
> fingerprint.
> However, while playing with this feature, i've discovered that the
> current kernel ( 2.4.18 ) and probably earlier versions, don't use this
> default value when generating the following packets :
>
> - ICMP reply ( of any kind )
> - TCP RST .
>
> Therefore, changing the ip_default_ttl on a standard kernel might do the
> opposite of what you're trying to achieve : make it much easier for an
> attacker to fingerprint your os....
>
> I've written a small patch ( against kernel 2.4.18 ) that fixes this
> behaviour. I'm attaching it to this email ( i've also posted in on the
> linux-kernel mailing list ).
> comments are welcome.
>
The policy is :
- for normal packets : have a small TTL. Every point is easily reachable
in less that 64 hops. If you reach 64, you are in a loop, so die as soon
as possible not to congestion the network.
- for control packets (packets that signal errors), you must deliver your
information at any price. And as we are in an error situation, the 1st
rule doesn't apply.
Thus, that makes sense to separate these two kinds of packets.
Maybe a separate default_ip_error_ttl could make a better patch.
Cheers!
--
Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité
Security Consultant/R&D http://www.cartel-securite.fr
Phone: +33 1 44 06 97 94 Fax: +33 1 44 06 97 99
PGP KeyID:3D9A43E2 FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2
--------------040005020100050706060802
Content-Type: APPLICATION/X-GZIP; NAME="default_ttl.patch.gz"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.43.0203291824363.1270@deneb.intranet.cartel-securite.fr>
Content-Description:
Content-Disposition: INLINE; FILENAME="default_ttl.patch.gz"
H4sICFCDlzwCA2RlZmF1bHRfdHRsLnBhdGNoAJ2TbU/bMBDHXyef4iSkqZAmadJQSrtFZVFZ
kfqAaHhtBcchVlM7sx1EQXz32WklVg2maW/iy/nudPe/n13XhYqy5tlnRPm0fop8ire1hz2Z
PVkLzmCRCQiGEPRGUX8URhD2eqHtOM7HaUcp4Si8HEXDfcpkAm7Qv+wOwDHHECYTGwBeYTpb
rdP75d30Kpl1rQDeLP/MukkWt+j2bpqg5D5dXV9bZ74Nb2MbbIc8KyIYUKZA7iRWFaI1ykmR
NZVCSlVj27HBP4OEMyV4BXUmsi3RORIKLmCazFYgSF1RIj0wZX+vpIdABJcc0UfGBUFZpev9
NeJB8CzHmVRy3M7YP4/MjP3zQfeindFqU3ijEOYNU532t23KjfNMZZ5xlJ7a1eTUDAiW3Lhx
LbiirOBeViCqRfYUl/AN5ObBjVnp0bp0Y+3Sw34SrioT/rFAYOVZngsdQGvsHUyh3FgoJAU2
AeaC10r7l/fzeesp4Kh3o+FOh0gTVxF2Cq+2+ydOCtfIGJ8h1et/itR76lFaMDqPRsHgHatB
pKV22q8R/IQyXDU5ga/7erSWBHtlbLT9GJ4dMxqMbfdf6GrZKgneQJrcgiQ/G8IwAdZsHwxj
lIGBV2OHN0QdEDvRFfRa2hu0uFmi+XT5I53BUPfUPozeRdi+DHMesMnEo8cQ5U96B8H44MCy
2fKikMRsZm/woiOVaLACrVeZiy5g090p+BCOwbwYywgpuenHjf+HFu2RhOWoXXnnuFrXMNmF
L7o7bdIXwguNUnlAWUuEbpYJWqdX6Rp9n3VSXK8atSaPUkf8AiwDVdB+BAAA
--------------040005020100050706060802--
