Home page logo
/

bugtraq logo Bugtraq mailing list archives

to prevert port scanning in linux 2.0.x
From: antirez () SPEEDCOM IT (Salvatore Sanfilippo -antirez-)
Date: Sat, 17 Jul 1999 12:48:19 +0200


Hi,

        It seems that some bugtraq readers still runs linux 2.0.3[67].
        In order to prevent SYN, FIN, Xmas, NULL tcp scan and
        maybe connect() scan (for exaple it's true with nmap,
        false with strobe) it's possible to apply this kernel patch.

        This stupid patch change the sequence
                SYN ---> closed port
                <--- RST
        to
                SYN ---> closed port
                <--- SYN|ACK
                ACK --->
                <--- RST

        and answers RST to FIN, Xmas and NULL tcp flags even
        if the port is open, like win*.

        If an attacker scans a patched host it gets all
        ports are open, so it gets nothing.

        The patch is tested on linux 2.0.36, maybe it's
        good even for 2.0.37.

bye,
antirez

--
Salvatore Sanfilippo - antirez -                  antirez () alicomitalia it
try hping: http://www.kyuzz.org/antirez           antirez () speedcom it


diff -u -r linux/net/ipv4/tcp_input.c /usr/src/linux-2.0.36/net/ipv4/tcp_input.c
--- linux/net/ipv4/tcp_input.c  Sat Jul 17 11:21:01 1999
+++ /usr/src/linux-2.0.36/net/ipv4/tcp_input.c  Sat Jul 17 12:00:13 1999
@@ -46,6 +46,7 @@
  *                                     </RANT>
  *     George Baeslack         :       SIGIO delivery on accept() bug that
  *                                     affected sun jdk.
+ *     Salvatore Sanfilippo    :       Prevents SYN, FIN, Xmass, NULL scan.
  */

 #include <linux/config.h>
@@ -2464,6 +2465,12 @@
                                        }
                                }
 #endif
+                               tcp_send_reset(daddr,saddr,th,sk->prot,opt,dev,0, 255);
+                       }
+
+                       /* resets FIN, Xmas, NULL */
+                       if (!th->syn && !th->ack && !th->rst && ip_chk_addr(daddr)==IS_MYADDR)
+                       {
                                tcp_send_reset(daddr,saddr,th,sk->prot,opt,dev,0, 255);
                        }

diff -u -r linux/net/ipv4/tcp_output.c /usr/src/linux-2.0.36/net/ipv4/tcp_output.c
--- linux/net/ipv4/tcp_output.c Sat Jul 17 11:21:01 1999
+++ /usr/src/linux-2.0.36/net/ipv4/tcp_output.c Sat Jul 17 11:56:35 1999
@@ -759,7 +759,7 @@
        t1->source = th->dest;
        t1->doff = sizeof(*t1)/4;
        t1->rst = 1;
-
+
        if(th->ack)
        {
                t1->seq = th->ack_seq;
@@ -770,7 +770,15 @@
                if(!th->syn)
                        t1->ack_seq = th->seq;
                else
+               {
                        t1->ack_seq = htonl(ntohl(th->seq)+1);
+                       /* send bogus syn/ack */
+                       t1->rst = 0;
+                       t1->syn = 1;
+                       t1->ack = 1;
+                       if (th->fin)
+                               t1->fin = 1; /* as 2.0.3x we answer SAF */
+               }
        }

        tcp_send_check(t1, saddr, daddr, sizeof(*t1), buff);



  By Date           By Thread  

Current thread:
  • to prevert port scanning in linux 2.0.x Salvatore Sanfilippo -antirez- (Jul 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault