Stealth IP Stack is a kernel patch for Linux 2.2.17 which makes your machine almost invisable on the network without impeding normal network operation. Many denial of service attacks, such as stream, are much less effective with this patch installed, and port scanners slow to a crawl. It works by restricting TCP RST packets (no "Connection Refused"), restricting ICMP_UNREACH on udp (Prevents UDP portscans), restricting all ICMP and IGMP requests. A sysctl interface is used so these features can be turned on ande off on the fly.
cb7f36d76783cdabab99611890b6f8df14437d9b0ace7474dadd6a02480461e8diff -urb linux-2.2.17-orig/Documentation/Configure.help linux-2.2.17/Documentation/Configure.help
--- linux-2.2.17-orig/Documentation/Configure.help Thu Sep 7 03:30:34 2000
+++ linux-2.2.17/Documentation/Configure.help Thu Sep 7 05:20:38 2000
@@ -1189,6 +1189,32 @@
Chances are that you should say Y here for every machine which is
run as a router and N for every regular host. If unsure, say N.
+Stealth IP stack
+CONFIG_IP_STEALTH
+ Use this option to enable "Stealth" code in the kernel's IP Stack.
+ The purpose of this is to make your machine "invisible" on a network.
+
+ If you say Y here, note that stealth options are not enabled by
+ default; you can enable them by saying Y to "/proc filesystem support"
+ and "Sysctl support" below and executing a command such as:
+ echo 1 >/proc/sys/net/ipv4/tcp_restrict_rst
+
+ Features and /proc interfaces:
+ tcp_restrict_rst - Do not send TCP RST packets
+ (no "Connection Refused")
+ udp_restrict_pu - Do not send ICMP_UNREACH on udp
+ (Prevents UDP portscans)
+ icmp_restrict - Do not reply to ICMP requests
+ (Excluding ping, see below)
+ igmp_restrict - Do not reply to IGMP requests
+
+ Note that there is already a sysctl to ignore ICMP pings,
+ echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
+
+ Enabling all of the above and filtering all open ports should make
+ your machine very hard to detect, while not interfering with (most)
+ normal operation.
+
SYN flood protection
CONFIG_SYN_COOKIES
Normal TCP/IP networking is open to an attack known as "SYN
@@ -12629,4 +12655,3 @@
# LocalWords: alphalinux GOBIOS csn chemnitz nat ACARD AMI MegaRAID megaraid
# LocalWords: QNX4FS ISI isicom xterms Apollos VPN RCPCI rcpci sgi visws pcmcia
# LocalWords: IrLPT UIRCC Tecra
-
Only in linux-2.2.17-orig/drivers/net: 3c503.c
Only in linux-2.2.17-orig/drivers/net: LICENSE.SRC
Only in linux-2.2.17-orig/include/linux: coda_opstats.h
Only in linux-2.2.17-orig/include/linux: dasd.h
diff -urb linux-2.2.17-orig/include/linux/sysctl.h linux-2.2.17/include/linux/sysctl.h
--- linux-2.2.17-orig/include/linux/sysctl.h Thu Sep 7 03:30:03 2000
+++ linux-2.2.17/include/linux/sysctl.h Thu Sep 7 04:57:46 2000
@@ -228,7 +228,16 @@
NET_IPV4_ICMP_IGNORE_BOGUS_ERROR_RESPONSES=64,
NET_IPV4_IGMP_MAX_MEMBERSHIPS=65,
NET_IPV4_ALWAYS_DEFRAG=67,
+#ifdef CONFIG_IP_STEALTH
+ NET_IPV4_IP_MASQ_UDP_DLOOSE=68,
+ NET_IPV4_TCP_RESTRICT_RST=69,
+ NET_IPV4_UDP_RESTRICT_PU=70,
+ NET_IPV4_IGMP_RESTRICT=71,
+ NET_IPV4_ICMP_RESTRICT=72
+#else
NET_IPV4_IP_MASQ_UDP_DLOOSE=68
+#endif
+
};
enum {
diff -urb linux-2.2.17-orig/net/ipv4/Config.in linux-2.2.17/net/ipv4/Config.in
--- linux-2.2.17-orig/net/ipv4/Config.in Thu Sep 7 03:30:08 2000
+++ linux-2.2.17/net/ipv4/Config.in Thu Sep 7 04:19:56 2000
@@ -73,6 +73,7 @@
bool 'IP: ARP daemon support (EXPERIMENTAL)' CONFIG_ARPD
fi
fi
+bool 'IP: Stealth Code (not enabled per default)' CONFIG_IP_STEALTH
bool 'IP: TCP syncookie support (not enabled per default)' CONFIG_SYN_COOKIES
comment '(it is safe to leave these untouched)'
#bool 'IP: PC/TCP compatibility mode' CONFIG_INET_PCTCP
@@ -83,4 +84,3 @@
#if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
#bool 'IP: support experimental checksum copy to user for UDP' CONFIG_UDP_DELAY_CSUM
#fi
-
diff -urb linux-2.2.17-orig/net/ipv4/icmp.c linux-2.2.17/net/ipv4/icmp.c
--- linux-2.2.17-orig/net/ipv4/icmp.c Thu Sep 7 03:30:08 2000
+++ linux-2.2.17/net/ipv4/icmp.c Thu Sep 7 04:38:20 2000
@@ -317,6 +317,10 @@
int sysctl_icmp_echo_ignore_all = 0;
int sysctl_icmp_echo_ignore_broadcasts = 0;
+#ifdef CONFIG_IP_STEALTH
+int sysctl_icmp_restrict = 0;
+#endif
+
/* Control parameter - ignore bogus broadcast responses? */
int sysctl_icmp_ignore_bogus_error_responses =0;
@@ -887,7 +891,10 @@
icmp_param.icmph.code=0;
icmp_param.data_ptr=×
icmp_param.data_len=12;
+#ifdef CONFIG_IP_STEALTH
+ if (!sysctl_icmp_restrict)
icmp_reply(&icmp_param, skb);
+#endif
}
diff -urb linux-2.2.17-orig/net/ipv4/igmp.c linux-2.2.17/net/ipv4/igmp.c
--- linux-2.2.17-orig/net/ipv4/igmp.c Thu Sep 7 03:30:08 2000
+++ linux-2.2.17/net/ipv4/igmp.c Thu Sep 7 04:42:12 2000
@@ -99,6 +99,10 @@
#define IP_MAX_MEMBERSHIPS 20
+#ifdef CONFIG_IP_STEALTH
+int sysctl_igmp_restrict = 0;
+#endif
+
#ifdef CONFIG_IP_MULTICAST
/* Parameter names and values are taken from igmp-v2-06 draft */
@@ -157,6 +161,9 @@
struct rtable *rt;
u32 dst;
+ if (sysctl_igmp_restrict)
+ return(-1);
+
/* According to IGMPv2 specs, LEAVE messages are
* sent to all-routers group.
*/
@@ -695,4 +702,3 @@
return len;
}
#endif
-
diff -urb linux-2.2.17-orig/net/ipv4/sysctl_net_ipv4.c linux-2.2.17/net/ipv4/sysctl_net_ipv4.c
--- linux-2.2.17-orig/net/ipv4/sysctl_net_ipv4.c Thu Sep 7 03:30:08 2000
+++ linux-2.2.17/net/ipv4/sysctl_net_ipv4.c Thu Sep 7 04:55:42 2000
@@ -48,6 +48,13 @@
extern int sysctl_ip_masq_debug;
extern int sysctl_ip_masq_udp_dloose;
+#ifdef CONFIG_IP_STEALTH
+extern int sysctl_tcp_restrict_rst;
+extern int sysctl_udp_restrict_pu;
+extern int sysctl_icmp_restrict;
+extern int sysctl_igmp_restrict;
+#endif
+
extern int sysctl_tcp_timestamps;
extern int sysctl_tcp_window_scaling;
extern int sysctl_tcp_sack;
@@ -206,6 +213,16 @@
#ifdef CONFIG_IP_MULTICAST
{NET_IPV4_IGMP_MAX_MEMBERSHIPS, "igmp_max_memberships",
&sysctl_igmp_max_memberships, sizeof(int), 0644, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_IP_STEALTH
+ {NET_IPV4_TCP_RESTRICT_RST, "tcp_restrict_rst",
+ &sysctl_tcp_restrict_rst, sizeof(int), 0644, NULL, &proc_dointvec},
+ {NET_IPV4_UDP_RESTRICT_PU, "udp_restrict_pu",
+ &sysctl_udp_restrict_pu, sizeof(int), 0644, NULL, &proc_dointvec},
+ {NET_IPV4_ICMP_RESTRICT, "icmp_restrict",
+ &sysctl_icmp_restrict, sizeof(int), 0644, NULL, &proc_dointvec},
+ {NET_IPV4_IGMP_RESTRICT, "igmp_restrict",
+ &sysctl_igmp_restrict, sizeof(int), 0644, NULL, &proc_dointvec},
#endif
{0}
};
diff -urb linux-2.2.17-orig/net/ipv4/tcp_ipv4.c linux-2.2.17/net/ipv4/tcp_ipv4.c
--- linux-2.2.17-orig/net/ipv4/tcp_ipv4.c Thu Sep 7 03:30:09 2000
+++ linux-2.2.17/net/ipv4/tcp_ipv4.c Thu Sep 7 04:24:08 2000
@@ -63,6 +63,10 @@
#include <linux/inet.h>
#include <linux/stddef.h>
+#ifdef CONFIG_IP_STEALTH
+int sysctl_tcp_restrict_rst = 0;
+#endif
+
extern int sysctl_tcp_timestamps;
extern int sysctl_tcp_window_scaling;
extern int sysctl_tcp_sack;
@@ -984,6 +988,10 @@
struct tcphdr rth;
struct ip_reply_arg arg;
+#ifdef CONFIG_IP_STEALTH
+ if (sysctl_tcp_restrict_rst)
+ return;
+#endif
/* Never send a reset in response to a reset. */
if (th->rst)
return;
diff -urb linux-2.2.17-orig/net/ipv4/udp.c linux-2.2.17/net/ipv4/udp.c
--- linux-2.2.17-orig/net/ipv4/udp.c Thu Sep 7 03:30:08 2000
+++ linux-2.2.17/net/ipv4/udp.c Thu Sep 7 04:51:19 2000
@@ -115,6 +115,10 @@
#include <net/route.h>
#include <net/checksum.h>
+#ifdef CONFIG_IP_STEALTH
+int sysctl_udp_restrict_pu = 0;
+#endif
+
/*
* Snmp MIB for the UDP layer
*/
@@ -1133,6 +1137,9 @@
goto csum_error;
#endif
udp_statistics.UdpNoPorts++;
+#ifdef CONFIG_IP_STEALTH
+ if (!sysctl_udp_restrict_pu)
+#endif
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
/*
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed