1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
|
diff -ruN linux-2.6.4/include/linux/sysctl.h linux-2.6.4-new/include/linux/sysctl.h
--- linux-2.6.4/include/linux/sysctl.h 2004-03-10 21:55:28.000000000 -0500
+++ linux-2.6.4-new/include/linux/sysctl.h 2004-03-28 15:37:06.829571810 -0500
@@ -322,6 +322,10 @@
NET_IPV4_IPFRAG_SECRET_INTERVAL=94,
NET_TCP_WESTWOOD=95,
NET_IPV4_IGMP_MAX_MSF=96,
+ NET_IPV4_IP_MASQ_UDP_DLOOSE=97,
+ NET_TCP_STACK_SYNFIN=98,
+ NET_TCP_STACK_BOGUS=99,
+ NET_TCP_STACK_ACK=100,
};
enum {
diff -ruN linux-2.6.4/net/ipv4/Kconfig linux-2.6.4-new/net/ipv4/Kconfig
--- linux-2.6.4/net/ipv4/Kconfig 2004-03-10 21:55:37.000000000 -0500
+++ linux-2.6.4-new/net/ipv4/Kconfig 2004-03-28 15:37:06.842568736 -0500
@@ -343,6 +343,29 @@
If unsure, say N.
+config NET_STEALTH
+ bool "IP: TCP stealth options (enabled per default)"
+ depends on INET
+ default n
+ ---help---
+ If you say Y here, note that these options are now enabled by
+ default; you can disable them by executing the commands
+
+ echo 0 >/proc/sys/net/ipv4/tcp_ignore_ack
+ echo 0 >/proc/sys/net/ipv4/tcp_ignore_bogus
+ echo 0 >/proc/sys/net/ipv4/tcp_ignore_synfin
+
+ at boot time after the /proc file system has been mounted.
+
+ If security is more important, say Y.
+
+config NET_STEALTH_LOG
+ bool 'Log all dropped packets'
+ depends on NET_STEALTH
+ ---help---
+ This turns on a logging facility that logs all tcp packets with
+ bad flags. If you said Y to "TCP stealth options", say Y too.
+
config INET_AH
tristate "IP: AH transformation"
select XFRM
diff -ruN linux-2.6.4/net/ipv4/sysctl_net_ipv4.c linux-2.6.4-new/net/ipv4/sysctl_net_ipv4.c
--- linux-2.6.4/net/ipv4/sysctl_net_ipv4.c 2004-03-10 21:55:37.000000000 -0500
+++ linux-2.6.4-new/net/ipv4/sysctl_net_ipv4.c 2004-03-28 15:37:06.852566370 -0500
@@ -48,6 +48,11 @@
extern int inet_peer_gc_mintime;
extern int inet_peer_gc_maxtime;
+/* stealth stuff */
+extern int sysctl_tcp_ignore_synfin;
+extern int sysctl_tcp_ignore_bogus;
+extern int sysctl_tcp_ignore_ack;
+
#ifdef CONFIG_SYSCTL
static int tcp_retr1_max = 255;
static int ip_local_port_range_min[] = { 1, 1 };
@@ -319,6 +324,32 @@
.proc_handler = &proc_dointvec
},
#endif
+#ifdef CONFIG_NET_STEALTH
+ {
+ .ctl_name = NET_TCP_STACK_SYNFIN,
+ .procname = "tcp_ignore_synfin",
+ .data = &sysctl_tcp_ignore_synfin,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
+ {
+ .ctl_name = NET_TCP_STACK_BOGUS,
+ .procname = "tcp_ignore_bogus",
+ .data = &sysctl_tcp_ignore_bogus,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
+ {
+ .ctl_name = NET_TCP_STACK_ACK,
+ .procname = "tcp_ignore_ack",
+ .data = &sysctl_tcp_ignore_ack,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
+#endif
{
.ctl_name = NET_TCP_TW_RECYCLE,
.procname = "tcp_tw_recycle",
diff -ruN linux-2.6.4/net/ipv4/tcp_input.c linux-2.6.4-new/net/ipv4/tcp_input.c
--- linux-2.6.4/net/ipv4/tcp_input.c 2004-03-10 21:55:37.000000000 -0500
+++ linux-2.6.4-new/net/ipv4/tcp_input.c 2004-03-28 15:37:06.000000000 -0500
@@ -75,6 +75,11 @@
int sysctl_tcp_timestamps = 1;
int sysctl_tcp_window_scaling = 1;
int sysctl_tcp_sack = 1;
+#ifdef CONFIG_NET_STEALTH
+int sysctl_tcp_ignore_synfin = 1;
+int sysctl_tcp_ignore_bogus = 1;
+int sysctl_tcp_ignore_ack = 1;
+#endif
int sysctl_tcp_fack = 1;
int sysctl_tcp_reordering = TCP_FASTRETRANS_THRESH;
#ifdef CONFIG_INET_ECN
diff -ruN linux-2.6.4/net/ipv4/tcp_ipv4.c linux-2.6.4-new/net/ipv4/tcp_ipv4.c
--- linux-2.6.4/net/ipv4/tcp_ipv4.c 2004-03-10 21:55:25.000000000 -0500
+++ linux-2.6.4-new/net/ipv4/tcp_ipv4.c 2004-03-28 15:37:06.000000000 -0500
@@ -79,6 +79,12 @@
int sysctl_tcp_tw_reuse;
int sysctl_tcp_low_latency;
+#ifdef CONFIG_NET_STEALTH
+extern int sysctl_tcp_ignore_synfin;
+extern int sysctl_tcp_ignore_bogus;
+extern int sysctl_tcp_ignore_ack;
+#endif
+
/* Check TCP sequence numbers in ICMP packets. */
#define ICMP_MIN_LENGTH 8
@@ -1763,6 +1769,23 @@
tcp_v4_checksum_init(skb) < 0))
goto bad_packet;
+#ifdef CONFIG_NET_STEALTH
+ if(sysctl_tcp_ignore_synfin) {
+ if(th->fin && th->syn)
+ goto tcp_bad_flags;
+ }
+
+ if(sysctl_tcp_ignore_bogus) {
+ if(!(th->ack || th->syn || th->rst) || th->res1)
+ goto tcp_bad_flags;
+ }
+
+ if(sysctl_tcp_ignore_ack) {
+ if(th->fin && th->psh && th->urg)
+ goto tcp_bad_flags;
+ }
+#endif
+
th = skb->h.th;
TCP_SKB_CB(skb)->seq = ntohl(th->seq);
TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
@@ -1804,6 +1827,33 @@
return ret;
+#ifdef CONFIG_NET_STEALTH_LOG
+tcp_bad_flags:
+ printk(KERN_INFO
+ "Packet log: badflag DENY %s PROTO=TCP %d.%d.%d.%d:%d "
+ "%d.%d.%d.%d:%d L=%hu:%u:%u S=0x%2.2hX I=%hu:%u:%u "
+ "T=%hu %c%c%c%c%c%c%c%c%c\n",
+ skb->dev->name, NIPQUAD(skb->nh.iph->saddr), ntohs(th->source),
+ NIPQUAD(skb->nh.iph->daddr), ntohs(th->dest),
+ ntohs(skb->nh.iph->tot_len), skb->len, skb->len - th->doff*4,
+ skb->nh.iph->tos, ntohs(skb->nh.iph->id), ntohl(th->seq),
+ ntohl(th->ack_seq), skb->nh.iph->ttl,
+ th->res1 ? '1' : '.',
+ th->ece ? 'E' : '.',
+ th->cwr ? 'C' : '.',
+ th->ack ? 'A' : '.',
+ th->syn ? 'S' : '.',
+ th->fin ? 'F' : '.',
+ th->rst ? 'R' : '.',
+ th->psh ? 'P' : '.',
+ th->urg ? 'U' : '.' );
+ goto bad_packet;
+#else
+tcp_bad_flags:
+ goto bad_packet;
+
+#endif /* CONFIG_NET_STEALTH_LOG */
+
no_tcp_socket:
if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
goto discard_it;
|
GitWeb