Nmap Announce mailing list archives
nmap and a kernel patch (fwd)
From: Fyodor <fyodor () dhp com>
Date: Mon, 19 Jul 1999 18:00:55 -0400 (EDT)
I haven't actually tried this patch, but it is an interesting portscan
defense ...
---------- Forwarded message ----------
From: Salvatore Sanfilippo -antirez- <antirez () speedcom it>
To: fyodor () dhp com
Subject: nmap and a kernel patch
Hi Fyodor,
three days ago i've posted this message
to bugtraq () SECURITYFOCUS COM, maybe dropped
by Aleph1. Anyway I think this can interest
you.
---
Hi,
It seems that some bugtraq readers still runs linux 2.0.3[67].
In order to prevent SYN, FIN, Xmas, NULL tcp scan and
maybe connect() scan (for exaple it's true with nmap,
false with strobe) it's possible to apply this kernel patch.
The patch change the sequence
SYN ---> closed port
<--- RST
to
SYN ---> closed port
<--- SYN|ACK
ACK --->
<--- RST
and answers RST to FIN, Xmas and NULL tcp flags even
if the port is open like win*.
If an attacker scans a patched host it gets all
ports are open, to be precise it gets nothing.
bye,
antirez
---
port scanners have different feedbacks if runs in
different SO/kernel version.
For example with 2.2.10 strobe will fail as nmap do.
The problem is the connect().
For example
SYN --->
<--- SYN|ACK
ACK --->
<--- RST
produce this
2.0.36
connect() O_NONBLOCK return 0 connected!
connect() --- return EINPROGRESS
2.2.10
connect() O_NONBLOCK return 0 connected!
connect() ___ retunn 0 connected!
I think this may interest A.Cox and Linux devel.
Patch is attached.
ciao,
antirez
--
Salvatore Sanfilippo - antirez - antirez () alicomitalia it
try hping: http://www.kyuzz.org/antirez antirez () speedcom it
Attachment:
antiscan-patch
Description:
Current thread:
- nmap and a kernel patch (fwd) Fyodor (Jul 19)