Re: sleath port scanning fix

[avalon () COOMBS ANU EDU AU (Darren Reed)]

In some mail from Superuser, sie said:
> Hi, as I said in a previous message linux 2.1.53, and probably all other
> versions,
> allows port scanning by sending FIN-only (no ACK) packets and seeing if one
> gets an RST packet. IF one does not then the port is listenning. Here is a
> patch
> to linux/net/ipv4/tcp_input.c that stops that working and gives you a message
> in the log telling you the port number and source IP address. When you see
> all the open ports from one IP address you have grounds for writing to the ISP
> and watch the cracker's account disappearing (in a puff of greasy green
> smoke, perhaps).

Page 65, RFC 793:

  SEGMENT ARRIVES

    If the state is CLOSED (i.e., TCB does not exist) then

      all data in the incoming segment is discarded.  An incoming
      segment containing a RST is discarded.  An incoming segment not
      containing a RST causes a RST to be sent in response.  The
      acknowledgment and sequence field values are selected to make the
      reset sequence acceptable to the TCP that sent the offending
      segment.
...
    If the state is LISTEN then

...
[Page 66]
      fourth other text or control

        Any other control or text-bearing segment (not containing SYN)
        must have an ACK and thus would be discarded by the ACK
        processing.  An incoming RST segment could not be valid, since
        it could not have been sent in response to anything sent by this
        incarnation of the connection.  So you are unlikely to get here,
        but if you do, drop the segment, and return.

Cheers,
Darren