port-mac68k: Artificially Modified Kernels vs. Stealth

Subject: Artificially Modified Kernels vs. Stealth
To: None <port-mac68k@netbsd.org>
From: T@W <lsp93@xs4all.nl>
List: port-mac68k
Date: 01/25/2000 23:51:29
Hi all,
i would like to bring the following thread i copied from a mailinglist to
your attention:

>> > the five type of packets that can be used for stealth scanning, and
>> > isn't logged from the normal tcplogd/scanlogger have this flag:
>
>> This and all other TCP stealth scans can be eliminated by modification
>> to most open source kernels. By adding code to the parts of the kernel
>> that handle TCP input, you can look to see if a packet is a part of an
>> existing conversation. If not, drop it (and perhaps log it).
>
>[ snip - note that it is often exactly bugs in the is-this-an-existing-
>  connection lookup that os detection code exploits. ]
>
>> This is basically taking advantage of a kernel's state table.
>
>Hm, that sounds mighty familiar ;)
>
>I've been maintaing a set of Linux kernel patches for a while now that do
>exactly this, among other things:
>
>http://www.progressive-comp.com/~hlein/hap-linux/
>
>Documentation is guaranteed to be out of date; the curious should read
>the code.  Basically: before incoming packets are checked against the
>kernel's state table looking for an active connection or a listening
>socket, the flagset is sanity-checked and the packet is dropped & logged
>on failure.  Then, if the state-table-lookup fails, where normally an RST
>would be silently sent, a rate-limited log message is generated along with
>the RST.  Something similar is done for unsolicited UDP traffic.
>
>The patches need Solar Designer's Openwall patches to be applied first;
>they rely on and add to some of his code as well.  They do things besides
>breaking the TCP stack, like enable some other additional logging, enforce
>some protections from chroot(2)'ed processes, etc.
>
>I'd be interested in comments on the ideas and/or code quality (which is
>guaranteed to be lacking -- I'm a shitty coder).  Various flavors of this
>patch have been in use on a number of high-volume sites for some time but
>of course YMMV.  I've wanted to port this (or the appropriate parts) to a
>couple of the BSDs as well but lack sufficient (time|clue|motivation).
><hlein@progressive-comp.com>


I think this person could use some motivating words from this platform.
Looks interesting?!
Any thoughts?

T@W