PATCH: prevent FIN/XMAS/NULL stealth portscans

don@sabotage.org
Sun, 8 Aug 1999 02:15:13 +0200 (CEST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mike A. Harris: "Re: > 1 meg bzImage"
Previous message: Alexandr D. Kanevskiy: "Netfilter and the feature freeze"

This is a diff to produce a patch sent to bugtraq a while ago. Not sure if
it's functionally equivalent to Joachim Baran's patch sent to linux-kernel.
It prevents several types of stealth portscans - FIN,XMAS and NULL. I've run
it for months in my 2.2.10 kernel without any trouble. YMMV. This diff is
against 2.2.11pre1.
PS sorry I don't have the original post, but anyone who mime attaches a
one line patch (and then sends the wrong one) probably would prefer anonymity.

diff -u -r linux/Documentation/Configure.help linux-2.2.11pre1mod/Documentation/Configure.help
--- linux/Documentation/Configure.help Sun Jun 13 19:54:06 1999
+++ linux-2.2.11pre1mod/Documentation/Configure.help Thu Aug 5 18:54:04 1999
@@ -5252,6 +5252,15 @@
full bandwidth of your network connection, try saying Y here. If
unsure, say N.

+Prevent response to stealth portscans (EXPERIMENTAL)
+CONFIG_NOSTEALTHSCANS
+ This is the anti-stealth-scan fix as posted to bugtraq. Stealth scans
+ are a method of network-based attackers probing what services are
+ available without going through a full three-way connect protocol, to
+ avoid detection. This option prevents most of that. Although tested
+ only under certain configurations, it should have no effect on normal
+ networking. If problems arise, disable this option. If unsure, say N.
+
QoS and/or fair queueing
CONFIG_NET_SCHED
When the kernel has several packets to send out over the network
diff -u -r linux/net/Config.in linux-2.2.11pre1mod/net/Config.in
--- linux/net/Config.in Thu Feb 25 10:46:47 1999
+++ linux-2.2.11pre1mod/net/Config.in Thu Aug 5 18:17:35 1999
@@ -52,6 +52,7 @@
bool 'Fast switching (read help!)' CONFIG_NET_FASTROUTE
bool 'Forwarding between high speed interfaces' CONFIG_NET_HW_FLOWCONTROL
bool 'CPU is too slow to handle full bandwidth' CONFIG_CPU_IS_SLOW
+ bool 'Prevent response to stealth portscans (EXPERIMENTAL)' CONFIG_NOSTEALTHSCANS
if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
mainmenu_option next_comment
comment 'QoS and/or fair queueing'
diff -u -r linux/net/ipv4/tcp_input.c linux-2.2.11pre1mod/net/ipv4/tcp_input.c
--- linux/net/ipv4/tcp_input.c Wed Jun 2 09:55:22 1999
+++ linux-2.2.11pre1mod/net/ipv4/tcp_input.c Thu Aug 5 18:20:17 1999
@@ -2074,7 +2074,12 @@
*/
goto discard;
}
-
+
+/* don't answer stealth scans */
+#ifdef CONFIG_NOSTEALTHSCANS
+ if (!th->rst) return 1;
+#endif
+
goto discard;
break;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mike A. Harris: "Re: > 1 meg bzImage"
Previous message: Alexandr D. Kanevskiy: "Netfilter and the feature freeze"