Anti-spoofing lkm for FreeBSD via setsockopt() - detects and logs IP header manipulation.
6767ad2628aeb75102b54f33c88228bce7c4be5f07f5cbae3e4f3913921460c4
/*
* Name: ANTi SP00FiNG VIA SETSOCKOPT() ( fbsdnospoof.c )
* Date: Fri Feb 18 14:45:01 2000
* Author: pIGpEN [pigpen@s0ftpj.org, deadhead@sikurezza.org]
*
* SoftProject Digital Security for Y2K (www.s0ftpj.org)
* Sikurezza.org Italian Security MailingList (www.sikurezza.org)
*
* COFFEE-WARE LICENSE - This source code is like "THE BEER-WARE LICENSE" by
* Poul-Henning Kamp <phk@FreeBSD.ORG> but you can give me in return a coffee.
*
* Tested on: FreeBSD 4.0-19990705-CURRENT FreeBSD 4.0-19990705-CURRENT #6 i386
* FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE #0: Tue Dec i386
*
* Thanks to: del0rean / s0ftPj for cd with 3.4 release
* Lynyrd Skynyrd for Sweet Home Alabama
*
* Use a kld Makefile.. ( put in append )
*/
/*
* This kld detects type of ip spoofing based on setsockopt()... with IP_HDRINCL
* It works monitoring setsockopt() system call
*
* example of detection:
*
* ./DoS -s 666.666.666.666 -d 192.168.1.4
* IP_HDRINCL: Invalid argument
*
* syslog:
*
* Feb 18 14:44:25 storpio /kernel: Detect IP_HDRINCL invoked by d0s
* Feb 18 14:44:25 storpio /kernel: IP header manipulation... DENIED!
*
*/
/*
* Define DONT_PERMIT -> if you want to forbid IP header manipulation
* and so the chance of IP Spoofing from your
* BOX
*/
#define DONT_PERMIT
#include <sys/types.h>
#include <sys/param.h>
#include <sys/proc.h>
#include <sys/module.h>
#include <sys/syscall.h>
#include <sys/sysent.h>
#include <sys/kernel.h>
#include <sys/systm.h>
#include <sys/sysproto.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/syslog.h>
#include <sys/file.h>
#include <netinet/in.h> /* IP_HDRINCL */
static int
my_setsockopt __P((struct proc *, register struct setsockopt_args *));
static int
my_setsockopt(p, uap)
struct proc *p;
register struct setsockopt_args *uap;
{
struct file *fp;
struct sockopt sopt;
int error;
if (uap->val == 0 && uap->valsize != 0)
return (EFAULT);
if (uap->valsize < 0)
return (EINVAL);
error = getsock(p->p_fd, uap->s, &fp);
if (error)
return (error);
if((uap->level == IPPROTO_IP) && (uap->name == IP_HDRINCL)) {
log(LOG_INFO, "Detect IP_HDRINCL invoked by %s\n", p->p_comm);
#ifdef DONT_PERMIT
log(LOG_INFO, "IP header manipulation... DENIED!\n");
return (EINVAL);
#endif
}
sopt.sopt_dir = SOPT_SET;
sopt.sopt_level = uap->level;
sopt.sopt_name = uap->name;
sopt.sopt_val = uap->val;
sopt.sopt_valsize = uap->valsize;
sopt.sopt_p = p;
return (sosetopt((struct socket *)fp->f_data, &sopt));
}
static int
module_handler(module_t mod, int cmd, void *arg) {
switch(cmd) {
case MOD_LOAD:
sysent[SYS_setsockopt].sy_call = (sy_call_t *) my_setsockopt;
break;
case MOD_UNLOAD:
sysent[SYS_setsockopt].sy_call = (sy_call_t *) setsockopt;
break;
}
return 0;
}
static moduledata_t SetSock = {
"SetSockOpt",
module_handler,
NULL
};
DECLARE_MODULE(SetSockOpt, SetSock, SI_SUB_DRIVERS, SI_ORDER_MIDDLE);
/* Makefile for this kld...
# SoftProject 2000 - Digital Sekurity for Y2k
# Sikurezza.org - Italian Security MailingList
#
# COFFEE-WARE LICENSE - This source code is like "THE BEER-WARE LICENSE" by
# Poul-Henning Kamp <phk@FreeBSD.ORG> but you can give me in return a coffee.
#
# Tested on: FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE #3: Thu Mar i386
# < pigpen@s0ftpj.org >
.PATH: /sys/kern
SRCS = fbsdnospoof.c
CFLAGS+= -I/sys
KMOD = nospoof
NOMAN = t
KLDMOD = t
KLDLOAD = /sbin/kldload
KLDUNLOAD = /sbin/kldunload
CLEANFILES+= ${KMOD}
load:
${KLDLOAD} -v ./${KMOD}
unload:
${KLDUNLOAD} -v -n ${KMOD}
.include <bsd.kmod.mk>
*/