Stealth IP Stack is a kernel patch for Linux 2.2.18 which makes your machine almost invisible on the network without impeding normal network operation. Many denial of service attacks, such as stream, are much less effective with this patch installed, and port scanners slow to a crawl. It works by restricting TCP RST packets (no "Connection Refused"), restricting ICMP_UNREACH on udp (Prevents UDP portscans), restricting all ICMP and IGMP requests. A sysctl interface is used so these features can be turned on and off on the fly.
d3d43af4614d1caa85252fe1ecfcb6817e25b936340bf2188ccbb135862d12fcdiff -urB linux-orig/Documentation/Configure.help linux/Documentation/Configure.help
--- linux-orig/Documentation/Configure.help Tue Dec 12 04:16:11 2000
+++ linux/Documentation/Configure.help Tue Dec 12 04:16:43 2000
@@ -1243,6 +1243,32 @@
Chances are that you should say Y here for every machine which is
run as a router and N for every regular host. If unsure, say N.
+Stealth IP stack
+CONFIG_IP_STEALTH
+ Use this option to enable "Stealth" code in the kernel's IP Stack.
+ The purpose of this is to make your machine "invisible" on a network.
+
+ If you say Y here, note that stealth options are not enabled by
+ default; you can enable them by saying Y to "/proc filesystem support"
+ and "Sysctl support" below and executing a command such as:
+ echo 1 >/proc/sys/net/ipv4/tcp_restrict_rst
+
+ Features and /proc interfaces:
+ tcp_restrict_rst - Do not send TCP RST packets
+ (no "Connection Refused")
+ udp_restrict_pu - Do not send ICMP_UNREACH on udp
+ (Prevents UDP portscans)
+ icmp_restrict - Do not reply to ICMP requests
+ (Excluding ping, see below)
+ igmp_restrict - Do not reply to IGMP requests
+
+ Note that there is already a sysctl to ignore ICMP pings,
+ echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
+
+ Enabling all of the above and filtering all open ports should make
+ your machine very hard to detect, while not interfering with (most)
+ normal operation.
+
SYN flood protection
CONFIG_SYN_COOKIES
Normal TCP/IP networking is open to an attack known as "SYN
Only in linux/Documentation: Configure.help.orig
diff -urB linux-orig/include/linux/sysctl.h linux/include/linux/sysctl.h
--- linux-orig/include/linux/sysctl.h Tue Dec 12 04:15:46 2000
+++ linux/include/linux/sysctl.h Tue Dec 12 04:16:43 2000
@@ -231,7 +231,16 @@
NET_IPV4_ICMP_IGNORE_BOGUS_ERROR_RESPONSES=64,
NET_IPV4_IGMP_MAX_MEMBERSHIPS=65,
NET_IPV4_ALWAYS_DEFRAG=67,
+#ifdef CONFIG_IP_STEALTH
+ NET_IPV4_IP_MASQ_UDP_DLOOSE=68,
+ NET_IPV4_TCP_RESTRICT_RST=69,
+ NET_IPV4_UDP_RESTRICT_PU=70,
+ NET_IPV4_IGMP_RESTRICT=71,
+ NET_IPV4_ICMP_RESTRICT=72
+#else
NET_IPV4_IP_MASQ_UDP_DLOOSE=68
+#endif
+
};
enum {
Only in linux/include/linux: sysctl.h.orig
diff -urB linux-orig/net/ipv4/Config.in linux/net/ipv4/Config.in
--- linux-orig/net/ipv4/Config.in Tue Dec 12 04:15:48 2000
+++ linux/net/ipv4/Config.in Tue Dec 12 04:16:43 2000
@@ -73,6 +73,7 @@
bool 'IP: ARP daemon support (EXPERIMENTAL)' CONFIG_ARPD
fi
fi
+bool 'IP: Stealth Code (not enabled per default)' CONFIG_IP_STEALTH
bool 'IP: TCP syncookie support (not enabled per default)' CONFIG_SYN_COOKIES
comment '(it is safe to leave these untouched)'
#bool 'IP: PC/TCP compatibility mode' CONFIG_INET_PCTCP
diff -urB linux-orig/net/ipv4/icmp.c linux/net/ipv4/icmp.c
--- linux-orig/net/ipv4/icmp.c Tue Dec 12 04:15:48 2000
+++ linux/net/ipv4/icmp.c Tue Dec 12 04:16:43 2000
@@ -317,6 +317,10 @@
int sysctl_icmp_echo_ignore_all = 0;
int sysctl_icmp_echo_ignore_broadcasts = 0;
+#ifdef CONFIG_IP_STEALTH
+int sysctl_icmp_restrict = 0;
+#endif
+
/* Control parameter - ignore bogus broadcast responses? */
int sysctl_icmp_ignore_bogus_error_responses =0;
@@ -893,7 +897,10 @@
icmp_param.icmph.code=0;
icmp_param.data_ptr=×
icmp_param.data_len=12;
+#ifdef CONFIG_IP_STEALTH
+ if (!sysctl_icmp_restrict)
icmp_reply(&icmp_param, skb);
+#endif
}
Only in linux/net/ipv4: icmp.c.orig
diff -urB linux-orig/net/ipv4/igmp.c linux/net/ipv4/igmp.c
--- linux-orig/net/ipv4/igmp.c Tue Dec 12 04:15:48 2000
+++ linux/net/ipv4/igmp.c Tue Dec 12 04:16:43 2000
@@ -99,6 +99,10 @@
#define IP_MAX_MEMBERSHIPS 20
+#ifdef CONFIG_IP_STEALTH
+int sysctl_igmp_restrict = 0;
+#endif
+
#ifdef CONFIG_IP_MULTICAST
/* Parameter names and values are taken from igmp-v2-06 draft */
@@ -157,6 +161,9 @@
struct rtable *rt;
u32 dst;
+ if (sysctl_igmp_restrict)
+ return(-1);
+
/* According to IGMPv2 specs, LEAVE messages are
* sent to all-routers group.
*/
diff -urB linux-orig/net/ipv4/sysctl_net_ipv4.c linux/net/ipv4/sysctl_net_ipv4.c
--- linux-orig/net/ipv4/sysctl_net_ipv4.c Tue Dec 12 04:15:48 2000
+++ linux/net/ipv4/sysctl_net_ipv4.c Tue Dec 12 04:16:43 2000
@@ -35,6 +35,13 @@
extern int sysctl_ip_masq_debug;
extern int sysctl_ip_masq_udp_dloose;
+#ifdef CONFIG_IP_STEALTH
+extern int sysctl_tcp_restrict_rst;
+extern int sysctl_udp_restrict_pu;
+extern int sysctl_icmp_restrict;
+extern int sysctl_igmp_restrict;
+#endif
+
extern int sysctl_tcp_timestamps;
extern int sysctl_tcp_window_scaling;
extern int sysctl_tcp_sack;
@@ -197,6 +204,16 @@
#ifdef CONFIG_IP_MULTICAST
{NET_IPV4_IGMP_MAX_MEMBERSHIPS, "igmp_max_memberships",
&sysctl_igmp_max_memberships, sizeof(int), 0644, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_IP_STEALTH
+ {NET_IPV4_TCP_RESTRICT_RST, "tcp_restrict_rst",
+ &sysctl_tcp_restrict_rst, sizeof(int), 0644, NULL, &proc_dointvec},
+ {NET_IPV4_UDP_RESTRICT_PU, "udp_restrict_pu",
+ &sysctl_udp_restrict_pu, sizeof(int), 0644, NULL, &proc_dointvec},
+ {NET_IPV4_ICMP_RESTRICT, "icmp_restrict",
+ &sysctl_icmp_restrict, sizeof(int), 0644, NULL, &proc_dointvec},
+ {NET_IPV4_IGMP_RESTRICT, "igmp_restrict",
+ &sysctl_igmp_restrict, sizeof(int), 0644, NULL, &proc_dointvec},
#endif
{0}
};
Only in linux/net/ipv4: sysctl_net_ipv4.c.orig
diff -urB linux-orig/net/ipv4/tcp_ipv4.c linux/net/ipv4/tcp_ipv4.c
--- linux-orig/net/ipv4/tcp_ipv4.c Tue Dec 12 04:15:48 2000
+++ linux/net/ipv4/tcp_ipv4.c Tue Dec 12 04:16:43 2000
@@ -63,6 +63,10 @@
#include <linux/inet.h>
#include <linux/stddef.h>
+#ifdef CONFIG_IP_STEALTH
+int sysctl_tcp_restrict_rst = 0;
+#endif
+
extern int sysctl_tcp_timestamps;
extern int sysctl_tcp_window_scaling;
extern int sysctl_tcp_sack;
@@ -984,6 +988,10 @@
struct tcphdr rth;
struct ip_reply_arg arg;
+#ifdef CONFIG_IP_STEALTH
+ if (sysctl_tcp_restrict_rst)
+ return;
+#endif
/* Never send a reset in response to a reset. */
if (th->rst)
return;
diff -urB linux-orig/net/ipv4/udp.c linux/net/ipv4/udp.c
--- linux-orig/net/ipv4/udp.c Tue Dec 12 04:15:48 2000
+++ linux/net/ipv4/udp.c Tue Dec 12 04:16:43 2000
@@ -115,6 +115,10 @@
#include <net/route.h>
#include <net/checksum.h>
+#ifdef CONFIG_IP_STEALTH
+int sysctl_udp_restrict_pu = 0;
+#endif
+
/*
* Snmp MIB for the UDP layer
*/
@@ -1133,6 +1137,9 @@
goto csum_error;
#endif
udp_statistics.UdpNoPorts++;
+#ifdef CONFIG_IP_STEALTH
+ if (!sysctl_udp_restrict_pu)
+#endif
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
/*
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed