Subject: [FWD]: Making "stealth" scans harder.
To: None <tech-net@netbsd.org>
From: Luke Mewburn <lukem@goanna.cs.rmit.edu.au>
List: tech-net
Date: 09/18/1998 09:43:44
Hi all.

Some of you may have seen the message attached below.
It looks reasonable enough to me, but I figured I'd ask
here before incorporating it.

Objections to me committing it? I'll do it by next Tuesday (GMT).

PS: here's a cleaned up patch:

Index: tcp_subr.c
===================================================================
RCS file: /cvsroot/src/sys/netinet/tcp_subr.c,v
retrieving revision 1.58
diff -c -r1.58 tcp_subr.c
*** tcp_subr.c	1998/09/04 22:29:54	1.58
--- tcp_subr.c	1998/09/17 23:50:32
***************
*** 214,220 ****
  	struct route *ro = 0;
  
  	if (tp) {
! 		win = sbspace(&tp->t_inpcb->inp_socket->so_rcv);
  		ro = &tp->t_inpcb->inp_route;
  	}
  	if (m == 0) {
--- 214,221 ----
  	struct route *ro = 0;
  
  	if (tp) {
! 		if ((flags & TH_RST) == 0)
! 			win = sbspace(&tp->t_inpcb->inp_socket->so_rcv);
  		ro = &tp->t_inpcb->inp_route;
  	}
  	if (m == 0) {
***************
*** 247,256 ****
  	ti->ti_ack = htonl(ack);
  	ti->ti_x2 = 0;
  	if ((flags & TH_SYN) == 0) {
! 		if (tp)
  			ti->ti_win = htons((u_int16_t) (win >> tp->rcv_scale));
  		else
! 			ti->ti_win = htons((u_int16_t)win);
  		ti->ti_off = sizeof (struct tcphdr) >> 2;
  		tlen += sizeof (struct tcphdr);
  	} else
--- 248,257 ----
  	ti->ti_ack = htonl(ack);
  	ti->ti_x2 = 0;
  	if ((flags & TH_SYN) == 0) {
! 		if (tp && ((flags & TH_RST) == 0))
  			ti->ti_win = htons((u_int16_t) (win >> tp->rcv_scale));
  		else
! 			ti->ti_win = 0;
  		ti->ti_off = sizeof (struct tcphdr) >> 2;
  		tlen += sizeof (struct tcphdr);
  	} else


Luke.

------- Forwarded Message
 
 X-Envelope-From: tech-security-owner-lukem=netbsd.org@netbsd.org  Thu Sep 17 22:49:00 1998
 Return-Path: <tech-security-owner-lukem=netbsd.org@netbsd.org>
 Received: from wombat.cs.rmit.edu.au (wombat.cs.rmit.edu.au [131.170.24.41])
 	by goanna.cs.rmit.edu.au (8.8.8/8.8.8/csnode) with ESMTP id WAA06140
 	for <lukem@goanna.cs.rmit.edu.au>; Thu, 17 Sep 1998 22:48:59 +1000 (EST)
 Received: from mail.netbsd.org (homeworld.cygnus.com [205.180.83.70])
 	by wombat.cs.rmit.edu.au (8.8.8/8.8.8/cshub) with SMTP id WAA24379
 	for <lm@cs.rmit.edu.au>; Thu, 17 Sep 1998 22:48:56 +1000 (EST)
 Received: (qmail 20235 invoked by uid 1101); 17 Sep 1998 12:46:34 -0000
 Delivered-To: lukem@netbsd.org
 Received: (qmail 20227 invoked by uid 605); 17 Sep 1998 12:46:33 -0000
 Received: (qmail 20220 invoked from network); 17 Sep 1998 12:46:27 -0000
 Received: from darren2.lnk.telstra.net (HELO firewall.reed.wattle.id.au) (139.130.53.33)
   by homeworld.cygnus.com with SMTP; 17 Sep 1998 12:46:27 -0000
 Received: (from root@localhost)
 	by firewall.reed.wattle.id.au (8.8.7/8.8.7) id MAA08465;
 	Thu, 17 Sep 1998 12:45:54 GMT
 Received: from avalon.reed.wattle.id.au(192.168.1.1) by firewall.reed.wattle.id.au via smap (V1.3)
 	id sma008463; Thu Sep 17 12:45:52 1998
 Received: from percival.reed.wattle.id.au. (percival.reed.wattle.id.au [192.168.1.5])
 	by avalon.reed.wattle.id.au (8.9.0.Beta3/8.9.0.Beta3) with SMTP id WAA03566;
 	Thu, 17 Sep 1998 22:45:50 +1000 (EST)
 From: Darren Reed <darrenr@reed.wattle.id.au>
 Message-Id: <199809171245.WAA03566@avalon.reed.wattle.id.au>
 Subject: Making "stealth" scans harder.
 To: darrenr@reed.wattle.id.au (Darren Reed)
 Date: Thu, 17 Sep 1998 22:45:49 +1000 (EST)
 X-Mailer: ELM [version 2.4 PL23]
 Content-Type: text
 Sender: tech-security-owner@netbsd.org
 Precedence: list
 Delivered-To: tech-security@netbsd.org


The below patch helps to reduce the leakage of internal socket information
when a TCP "stealth" scan is directed at a *BSD box by ensuring the window
is 0 for all RST packets generated through tcp_respond().  Patch is against
NetBSD-1.3G but should apply to others with some fuzz.

Cheers,
Darren

*** tcp_subr.c.orig	Sun Aug  2 21:16:42 1998
- --- tcp_subr.c	Thu Sep 17 22:38:51 1998
***************
*** 214,220 ****
  	struct route *ro = 0;
  
  	if (tp) {
! 		win = sbspace(&tp->t_inpcb->inp_socket->so_rcv);
  		ro = &tp->t_inpcb->inp_route;
  	}
  	if (m == 0) {
- --- 214,221 ----
  	struct route *ro = 0;
  
  	if (tp) {
! 		if (!(flags & TH_RST))
! 			win = sbspace(&tp->t_inpcb->inp_socket->so_rcv);
  		ro = &tp->t_inpcb->inp_route;
  	}
  	if (m == 0) {
***************
*** 247,253 ****
  	ti->ti_ack = htonl(ack);
  	ti->ti_x2 = 0;
  	if ((flags & TH_SYN) == 0) {
! 		if (tp)
  			ti->ti_win = htons((u_int16_t) (win >> tp->rcv_scale));
  		else
  			ti->ti_win = htons((u_int16_t)win);
- --- 248,254 ----
  	ti->ti_ack = htonl(ack);
  	ti->ti_x2 = 0;
  	if ((flags & TH_SYN) == 0) {
! 		if (tp && !(flags & TH_RST))
  			ti->ti_win = htons((u_int16_t) (win >> tp->rcv_scale));
  		else
  			ti->ti_win = 0;


------- End of Forwarded Message