I haven't actually tried this patch, but it is an interesting portscan
defense ...
---------- Forwarded message ----------
From: Salvatore Sanfilippo -antirez- <antirez_at_speedcom.it>
To: fyodor_at_dhp.com
Subject: nmap and a kernel patch
Hi Fyodor,
three days ago i've posted this message
to bugtraq_at_SECURITYFOCUS.COM, maybe dropped
by Aleph1. Anyway I think this can interest
you.
---
Hi,
It seems that some bugtraq readers still runs linux 2.0.3[67].
In order to prevent SYN, FIN, Xmas, NULL tcp scan and
maybe connect() scan (for exaple it's true with nmap,
false with strobe) it's possible to apply this kernel patch.
The patch change the sequence
SYN ---> closed port
<--- RST
to
SYN ---> closed port
<--- SYN|ACK
ACK --->
<--- RST
and answers RST to FIN, Xmas and NULL tcp flags even
if the port is open like win*.
If an attacker scans a patched host it gets all
ports are open, to be precise it gets nothing.
bye,
antirez
---
port scanners have different feedbacks if runs in
different SO/kernel version.
For example with 2.2.10 strobe will fail as nmap do.
The problem is the connect().
For example
SYN --->
<--- SYN|ACK
ACK --->
<--- RST
produce this
2.0.36
connect() O_NONBLOCK return 0 connected!
connect() --- return EINPROGRESS
2.2.10
connect() O_NONBLOCK return 0 connected!
connect() ___ retunn 0 connected!
I think this may interest A.Cox and Linux devel.
Patch is attached.
ciao,
antirez
--
Salvatore Sanfilippo - antirez - antirez_at_alicomitalia.it
try hping: http://www.kyuzz.org/antirez antirez@speedcom.it
Received on Jul 19 1999
Intro
