Skip site navigation (1)Skip section navigation (2)
Date:      12 Sep 1999 18:47:23 +0200
From:      Dag-Erling Smorgrav <des@flood.ping.uio.no>
To:        Dag-Erling Smorgrav <des@flood.ping.uio.no>
Cc:        nate@mt.sri.com (Nate Williams), Ben Smithurst <ben@scientia.demon.co.uk>, "Jeremy L. Ramirez" <jramirez@digicomsystems.net>, dev-null@ns1.digicomsystems.net, freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject:   Re: How to prevent motd including os info
Message-ID:  <xzpiu5g13hg.fsf@flood.ping.uio.no>
In-Reply-To: Dag-Erling Smorgrav's message of "12 Sep 1999 18:06:28 %2B0200"
References:  <4.2.0.58.19990911151659.00aa8d60@ns1.digicomsystems.net> 	<19990912012524.B41509@lithium.scientia.demon.co.uk> 	<xzpn1usmka2.fsf@flood.ping.uio.no> <199909121534.JAA18584@mt.sri.com> <xzpzoys15dn.fsf@flood.ping.uio.no>

next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling Smorgrav <des@flood.ping.uio.no> writes:
> Nate Williams <nate@mt.sri.com> writes:
> > > # ipfw add 1 deny tcp from any to any in tcpflags syn,fin
> > Except if you do this the box is unable to provide *ANY* external
> > sevices, including email and/or DNS service. :(
> Not true. I've had two moderately busy IRC servers (one of them
> averages 700 clients, the other twice that) running with this ipfw
> rule for two or three months without a hitch.

Speaking of which - if you will allow me this tangent - I will never
cease to be amazed by how much some people who ought to know better
*think* they know about TCP/IP security and attack patterns, and how
quick they are to handwave problems pointed out to them (or patches
submitted for review) with some vague comments about "yes, in theory
it could be a problem, but you'll never see this in real life", until
I explain that my analyses and calculations are not based on fancy
thought experiments but on hard, real-life, all-in-a-day's-work data.

To return to the subject matter, I have patches which (provided you
build your kernel with the appropriate options) add a sysctl switch
for dropping SYN+FIN packets in tcp_input() instead of having ipfw or
ipfilter do it.

DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no

Index: etc/rc.network
===================================================================
RCS file: /home/ncvs/src/etc/rc.network,v
retrieving revision 1.59
diff -u -r1.59 rc.network
--- rc.network	1999/09/01 08:57:01	1.59
+++ rc.network	1999/09/07 17:30:13
@@ -229,6 +229,16 @@
 	    sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
     fi
 
+    if [ "X$tcp_restrict_rst" = X"YES" ]; then
+	    echo -n ' restrict TCP reset=YES'
+	    sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
+    fi
+
+    if [ "X$tcp_drop_synfin" = X"YES" ]; then
+	    echo -n ' drop SYN+FIN packets=YES'
+	    sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
+    fi
+
     if [ "${ipxgateway_enable}" = "YES" ]; then
 	    echo -n ' IPX gateway=YES'
 	    sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null
Index: etc/defaults/rc.conf
===================================================================
RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.32
diff -u -r1.32 rc.conf
--- rc.conf	1999/09/06 20:22:40	1.32
+++ rc.conf	1999/09/07 17:30:40
@@ -48,6 +48,9 @@
 tcp_extensions="NO"		# Set to YES to turn on RFC1323 extensions.
 log_in_vain="NO"		# YES to log connects to ports w/o listeners.
 tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
+tcp_restrict_rst="NO"		# Set to YES to restrict emission of RST
+tcp_drop_synfin="NO"		# Set to YES to drop TCP packets with SYN+FIN
+				# NOTE: this breaks rfc1644 extensions (T/TCP)
 icmp_drop_redirect="NO"		# Set to YES to ignore ICMP REDIRECT packets
 icmp_log_redirect="NO"		# Set to YES to log ICMP REDIRECT packets
 network_interfaces="auto"	# List of network interfaces (or "auto").
Index: sys/conf/options
===================================================================
RCS file: /home/ncvs/src/sys/conf/options,v
retrieving revision 1.152
diff -u -r1.152 options
--- options	1999/09/08 22:01:31	1.152
+++ options	1999/09/09 09:16:45
@@ -228,6 +228,8 @@
 SLIP_IFF_OPTS		opt_slip.h
 TCP_COMPAT_42		opt_compat.h
 TCPDEBUG
+TCP_RESTRICT_RST	opt_tcp_input.h
+TCP_DROP_SYNFIN		opt_tcp_input.h
 
 # ATM (HARP version)
 ATM_CORE		opt_atm.h
Index: sys/i386/conf/LINT
===================================================================
RCS file: /home/ncvs/src/sys/i386/conf/LINT,v
retrieving revision 1.641
diff -u -r1.641 LINT
--- LINT	1999/09/08 22:03:46	1.641
+++ LINT	1999/09/09 09:17:00
@@ -469,6 +469,20 @@
 options 	IPSTEALTH		#support for stealth forwarding
 options 	TCPDEBUG
 
+# The following options add sysctl variables for controlling how certain
+# TCP packets are handled.
+# 
+# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
+# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
+# or any system which one does not want to be easily portscannable.
+# 
+# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
+# prevents nmap et al. from identifying the TCP/IP stack, but breaks support
+# for RFC1644 extensions and is not recommended for web servers.
+# 
+options		TCP_RESTRICT_RST	#restrict emission of TCP RST
+options		TCP_DROP_SYNFIN		#drop TCP packets with SYN+FIN
+
 # ICMP_BANDLIM enables icmp error response bandwidth limiting.   You
 # typically want this option as it will help protect the machine from
 # D.O.S. packet attacks.
Index: sys/netinet/tcp_input.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/tcp_input.c,v
retrieving revision 1.93
diff -u -r1.93 tcp_input.c
--- tcp_input.c	1999/08/30 21:17:06	1.93
+++ tcp_input.c	1999/09/07 17:37:50
@@ -36,6 +36,7 @@
 
 #include "opt_ipfw.h"		/* for ipfw_fwd		*/
 #include "opt_tcpdebug.h"
+#include "opt_tcp_input.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -93,6 +94,18 @@
     &tcp_delack_enabled, 0, 
     "Delay ACK to try and piggyback it onto a data packet");
 
+#ifdef TCP_RESTRICT_RST
+static int restrict_rst = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, restrict_rst, CTLFLAG_RW,
+    &restrict_rst, 0, "Restrict RST emission");
+#endif
+
+#ifdef TCP_DROP_SYNFIN
+static int drop_synfin = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW,
+    &drop_synfin, 0, "Drop TCP packets with FIN+ACK set");
+#endif
+
 struct inpcbhead tcb;
 struct inpcbinfo tcbinfo;
 
@@ -340,6 +353,18 @@
 	}
 	tiflags = ti->ti_flags;
 
+#ifdef TCP_DROP_SYNFIN
+	/*
+	 * If the drop_synfin option is enabled, drop all packets with
+	 * both the SYN and FIN bits set. This prevents e.g. nmap from
+	 * identifying the TCP/IP stack.
+	 *
+	 * This is incompatible with RFC1644 extensions (T/TCP).
+	 */
+	if (drop_synfin && (tiflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN))
+		goto drop;
+#endif
+
 	/*
 	 * Convert TCP protocol specific fields to host format.
 	 */
@@ -1849,6 +1874,10 @@
 	return;
 
 dropwithreset:
+#ifdef TCP_RESTRICT_RST
+	if (restrict_rst)
+		goto drop;
+#endif
 	/*
 	 * Generate a RST, dropping incoming segment.
 	 * Make ACK acceptable to originator of segment.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpiu5g13hg.fsf>