Bugtraq mailing list archives
sleath port scanning fix
From: root () IO STARGATE CO UK (Superuser)
Date: Sun, 7 Sep 1997 16:33:16 +0100
Hi, as I said in a previous message linux 2.1.53, and probably all other versions, allows port scanning by sending FIN-only (no ACK) packets and seeing if one gets an RST packet. IF one does not then the port is listenning. Here is a patch to linux/net/ipv4/tcp_input.c that stops that working and gives you a message in the log telling you the port number and source IP address. When you see all the open ports from one IP address you have grounds for writing to the ISP and watch the cracker's account disappearing (in a puff of greasy green smoke, perhaps). Duncan (-: (Alan Cox also included in recipients) --- tcp_input.c.orig Sun Sep 7 16:01:32 1997 +++ tcp_input.c Sun Sep 7 16:24:38 1997 @@ -1548,9 +1548,9 @@ /* These use the socket TOS.. * might want to be the received TOS */ - if(th->ack) - return 1; - + if(th->ack) + return 1; + if(th->syn) { if(tp->af_specific->conn_request(sk, skb, opt, 0) < 0) return 1; @@ -1574,7 +1574,11 @@ goto discard; } - goto discard; + /* SECURITY FIX: stop port scanning with packets that do not + * set either ACK or SYN (e.g. just FIN). + */ + printk("Warning: possible attempt at \"sleath\" port scaning: port %d, source IP %s\n", noths(skb->h.th->dest), in_ntoa(skb->nh.iph->saddr)); + return 1; break; case TCP_SYN_SENT:
Current thread:
- Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable Aleph One (Sep 05)
- promisc.c,v null: test devices for sniffers and device moniters. blind (Sep 03)
- Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable David J. Meltzer (Sep 05)
- procfs take II Brian Mitchell (Sep 05)
- Security hole in Linux TCP stack (2.1.53 and all the rest) Superuser (Sep 07)
- sleath port scanning fix Superuser (Sep 07)
- DOS vulnerability in Livingston portmasters (pre 3.7) Dave Andersen (Sep 07)
- Re: sleath port scanning fix Darren Reed (Sep 08)
- Re: sleath port scanning fix Thamer Al-Herbish (Sep 08)