Date: Wed, 1 Jul 1998 00:54:25 -0500
From: Jesse Off <joff@IASTATE.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: linux TCP/IP patch: ktcpd-strobemasker
Having just seen the abacus project and its method of detecting and
masking strobes in user-space, and from the advice of a friend, I thought
I'd mention to yall that about 7 months ago, I wrote a patch to the linux
kernel to do most of what the abacus project is claiming to do now. I
didn't really announce it to any security lists/groups before now.
Although its a kernel patch, I believe its a much cleaner way to do strobe
protection on linux and masking them if you don't mind the patching
thingy. This way, I can utilize the kernels TCP/IP existingstate machine
and don't have to have a separate userspace process reimplement it and
poll packets coming in.
Anyway, this patch does a few things in its 4kbytes entirety :-)
* detects all forms of strobes (including stealth strobes AND UDP strobes)
using a heuristic based on the rate of refused connections/bad packets
coming in. (works to detect all strobes I've seen: nmap, strobe,
tcpscan...)
* logs all strobe attempts
* when a TCP or UDP strobe is detected, start refusing all connections
from this IP until attempts have stopped for a specifed amount of time.
* log all TCP connection accepts in a form containing ip, port, uid of
accepting process and accepting process name and pid. For example:
Jul 1 00:19:20 redsecret kernel: TCP connection accepted: ip=127.0.0.1
port=22 uid=0 process=sshd[263]
* log unexpected packets with their syn,fin,ack,and rst flags
* log rejected UDP packets (no logging accepted UDP packets cause thats
crazy)
* log common ICMP packets
So basically, when someone strobes you, you look like a Macintosh.
Up till now, I thought I was wasting energy writing this thing,
and still think that this sort of thing is kind of a waste of time, I
wrote it for fun and fun only. I do not claim to be a security
professional, just a tinkerer, so use at your own risk. I personally
have been running this thing for 7 months now, and its got its share
of torture testing by me, and seems relatively stable. This patch works
on the 2.0.x kernels and there isn't one for 2.1.x yet either. (mainly
because I don't run the 2.1.x's on my personal machine) When that day
comes, you can expect a new patch, but until then, everyones free to get
it to work on their 2.1.x kernel and send me the patch ;-) It should be
really easy.
So, if you wanna give it a try (and tell me of
success/failures/suggestions) its at:
ftp://isufug.ee.iastate.edu/pub/ktcpdhttp://isufug.ee.iastate.edu/~joff
~Jesse Off
<joff@iastate.edu>
