Bugtraq mailing list archives
ip header id patched.
From: awgn () COSMOS IT (awgn () COSMOS IT)
Date: Sat, 19 Dec 1998 20:53:26 +0100
As recently discovered, there's the way to make a sweep of ports-check hiding the ip source. The matter comes while ip_output.c ( in linux kernel 2.0.x ), forges and queues packets, using a simple ID increment. This gives the chance to guess how many packets were sent, and as explained in paper about the ip header id ( http://www.geek-girl.com/bugtraq/1998_4/0609.html ), the opportunity of ip abusing in portscanning. To change the fixed unary step in a random one, seems to be a good fix. Happy kernel hacking. :-) ------------------------------------------------------------------------------ --- ip_output.c. Fri Apr 17 16:42:38 1998 +++ ip_outout.c.patched Fri Apr 17 17:17:15 1998 @@ -32,2 +32,3 @@ * Juan-Mariano de Goyeneche traffic generated locally. - */ + * awgn roofing: to prevent _ip abuse_ as third in hscan. + */ @@ -42,4 +42,5 @@ #include <linux/errno.h> #include <linux/config.h> +#include <linux/random.h> #include <linux/socket.h> @@ -451,3 +451,4 @@ { + u_char rand_step; unsigned int tot_len; struct iphdr *iph; @@ -485,3 +485,5 @@ case 1: iph->id = htons(ip_id_count++); + (void) get_random_bytes(&rand_step,1); + ip_id_count += ( rand_step & 0x0f ); } @@ -637,3 +637,4 @@ { + u_char rand_step; struct rtable *rt; unsigned int fraglen, maxfraglen, fragheaderlen; @@ -754,4 +754,6 @@ iph->id=htons(ip_id_count++); + (void) get_random_bytes(&rand_step,1); + ip_id_count += ( rand_step & 0x0f ); iph->frag_off = 0; iph->ttl=sk->ip_ttl; iph->protocol=type; ------------------------------------------------------------------------- awgn () cosmos it [ we're working to make dyndns alive, again! ] meet us: #hackers () IRCity org
Current thread:
- OSS nice tmp race Stefan Laudat (Dec 16)
- wordperfect 8 for linux security Edsel Adap (Dec 18)
- new tcp scan method antirez (Dec 17)
- Re: wordperfect 8 for linux security Dug Song (Dec 18)
- Re: wordperfect 8 for linux security Keith Owens (Dec 18)
- Irc: another funny stuff. In some irc clients dcc may be hijacked. awgn () COSMOS IT (Dec 19)
- ValueClick CGI Vulnerability Philip Stoev (Dec 19)
- FTP.SODRE.NET Hacked... Eggdrop Modified.. Geoffrey Huntley (Dec 19)
- Re: FTP.SODRE.NET Hacked... Eggdrop Modified.. Matt Hallacy (Dec 19)
- ip header id patched. awgn () COSMOS IT (Dec 19)
- ValueClick Ellen (Dec 19)
- Re: OSS nice tmp race Pavel Kankovsky (Dec 18)
- Re: OSS nice tmp race Dr. Mudge (Dec 18)
- Re: OSS nice tmp race Joel Eriksson (Dec 18)
- OSS nice tmp race the razor of love (Dec 18)
- <Possible follow-ups>
- Re: OSS nice tmp race Crispin Cowan (Dec 20)
- Re: OSS nice tmp race X-Force (Dec 21)
- AOL client uses IP tunneling Aviram Jenik (Dec 21)
- Re: your mail Craig A. Huegen (Dec 21)
- Re: your mail Alan Cox (Dec 22)
- wordperfect 8 for linux security Edsel Adap (Dec 18)