2015-07-02 08:56:52

by Matteo Croce

[permalink] [raw]
Subject: Re: [PATCH v2] add stealth mode

Add option to disable any reply not related to a listening socket,
like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
Also disables ICMP replies to echo request and timestamp.
The stealth mode can be enabled selectively for a single interface.

Signed-off-by: Matteo Croce <[email protected]>
---
check the patch with checkpatch.pl and add documentation in ip-sysctl.txt

Documentation/networking/ip-sysctl.txt | 12 ++++++++++++
include/linux/inetdevice.h | 1 +
include/linux/ipv6.h | 1 +
include/uapi/linux/ip.h | 1 +
net/ipv4/devinet.c | 1 +
net/ipv4/icmp.c | 6 ++++++
net/ipv4/tcp_ipv4.c | 3 ++-
net/ipv4/udp.c | 4 +++-
net/ipv6/addrconf.c | 7 +++++++
net/ipv6/icmp.c | 3 ++-
net/ipv6/tcp_ipv6.c | 2 +-
net/ipv6/udp.c | 3 ++-
12 files changed, 39 insertions(+), 5 deletions(-)

diff --git a/Documentation/networking/ip-sysctl.txt
b/Documentation/networking/ip-sysctl.txt
index 5fae770..9eed021 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1181,6 +1181,12 @@ tag - INTEGER
Allows you to write a number, which can be used as required.
Default value is 0.

+stealth - BOOLEAN
+ Disable any reply not related to a listening socket,
+ like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
+ Also disables ICMP replies to echo requests and timestamp.
+ Default value is 0.
+
Alexey Kuznetsov.
[email protected]

@@ -1584,6 +1590,12 @@ stable_secret - IPv6 address

By default the stable secret is unset.

+stealth - BOOLEAN
+ Disable any reply not related to a listening socket,
+ like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
+ Also disables ICMPv6 replies to echo requests.
+ Default value is 0.
+
icmp/*:
ratelimit - INTEGER
Limit the maximal rates for sending ICMPv6 packets.
diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
index a4328ce..a64c01e 100644
--- a/include/linux/inetdevice.h
+++ b/include/linux/inetdevice.h
@@ -128,6 +128,7 @@ static inline void ipv4_devconf_setall(struct
in_device *in_dev)
#define IN_DEV_ARP_ANNOUNCE(in_dev) IN_DEV_MAXCONF((in_dev), ARP_ANNOUNCE)
#define IN_DEV_ARP_IGNORE(in_dev) IN_DEV_MAXCONF((in_dev), ARP_IGNORE)
#define IN_DEV_ARP_NOTIFY(in_dev) IN_DEV_MAXCONF((in_dev), ARP_NOTIFY)
+#define IN_DEV_STEALTH(in_dev) IN_DEV_MAXCONF((in_dev), STEALTH)

struct in_ifaddr {
struct hlist_node hash;
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index 82806c6..49494ec 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -53,6 +53,7 @@ struct ipv6_devconf {
__s32 ndisc_notify;
__s32 suppress_frag_ndisc;
__s32 accept_ra_mtu;
+ __s32 stealth;
struct ipv6_stable_secret {
bool initialized;
struct in6_addr secret;
diff --git a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
index 08f894d..4acbf99 100644
--- a/include/uapi/linux/ip.h
+++ b/include/uapi/linux/ip.h
@@ -165,6 +165,7 @@ enum
IPV4_DEVCONF_IGMPV2_UNSOLICITED_REPORT_INTERVAL,
IPV4_DEVCONF_IGMPV3_UNSOLICITED_REPORT_INTERVAL,
IPV4_DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN,
+ IPV4_DEVCONF_STEALTH,
__IPV4_DEVCONF_MAX
};

diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 7498716..6b9930a 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -2178,6 +2178,7 @@ static struct devinet_sysctl_table {
"promote_secondaries"),
DEVINET_SYSCTL_FLUSHING_ENTRY(ROUTE_LOCALNET,
"route_localnet"),
+ DEVINET_SYSCTL_RW_ENTRY(STEALTH, "stealth"),
},
};

diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index f5203fb..e8e71fb 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -882,6 +882,9 @@ static bool icmp_echo(struct sk_buff *skb)
{
struct net *net;

+ if (IN_DEV_STEALTH(skb->dev->ip_ptr))
+ return true;
+
net = dev_net(skb_dst(skb)->dev);
if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
struct icmp_bxm icmp_param;
@@ -915,6 +918,9 @@ static bool icmp_timestamp(struct sk_buff *skb)
if (skb->len < 4)
goto out_err;

+ if (IN_DEV_STEALTH(skb->dev->ip_ptr))
+ return true;
+
/*
* Fill in the current time as ms since midnight UT:
*/
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index d7d4c2b..6f3e6e9 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -77,6 +77,7 @@
#include <net/busy_poll.h>

#include <linux/inet.h>
+#include <linux/inetdevice.h>
#include <linux/ipv6.h>
#include <linux/stddef.h>
#include <linux/proc_fs.h>
@@ -1652,7 +1653,7 @@ csum_error:
TCP_INC_STATS_BH(net, TCP_MIB_CSUMERRORS);
bad_packet:
TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
- } else {
+ } else if (!IN_DEV_STEALTH(skb->dev->ip_ptr)) {
tcp_v4_send_reset(NULL, skb);
}

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 83aa604..780069d 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -96,6 +96,7 @@
#include <linux/timer.h>
#include <linux/mm.h>
#include <linux/inet.h>
+#include <linux/inetdevice.h>
#include <linux/netdevice.h>
#include <linux/slab.h>
#include <net/tcp_states.h>
@@ -1823,7 +1824,8 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct
udp_table *udptable,
goto csum_error;

UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+ if (!IN_DEV_STEALTH(skb->dev->ip_ptr))
+ icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);

/*
* Hmm. We got an UDP packet to a port to which we
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 21c2c81..b9e44e2 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -5585,6 +5585,13 @@ static struct addrconf_sysctl_table
.proc_handler = addrconf_sysctl_stable_secret,
},
{
+ .procname = "stealth",
+ .data = &ipv6_devconf.stealth,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
+ {
/* sentinel */
}
},
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 713d743..47797a6 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -723,7 +723,8 @@ static int icmpv6_rcv(struct sk_buff *skb)

switch (type) {
case ICMPV6_ECHO_REQUEST:
- icmpv6_echo_reply(skb);
+ if (!idev->cnf.stealth)
+ icmpv6_echo_reply(skb);
break;

case ICMPV6_ECHO_REPLY:
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 6748c42..cb41856 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1445,7 +1445,7 @@ csum_error:
TCP_INC_STATS_BH(net, TCP_MIB_CSUMERRORS);
bad_packet:
TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
- } else {
+ } else if (!__in6_dev_get(skb->dev)->cnf.stealth) {
tcp_v6_send_reset(NULL, skb);
}

diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index e51fc3e..459238bb 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -934,7 +934,8 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct
udp_table *udptable,
goto csum_error;

UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
- icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
+ if (!__in6_dev_get(skb->dev)->cnf.stealth)
+ icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);

kfree_skb(skb);
return 0;
--
2.1.4


2015-07-06 10:50:13

by Valdis Klētnieks

[permalink] [raw]
Subject: Re: [PATCH v2] add stealth mode

On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said:
> Add option to disable any reply not related to a listening socket,
> like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
> Also disables ICMP replies to echo request and timestamp.
> The stealth mode can be enabled selectively for a single interface.

A few notes.....

1) Do you have an actual use case where an iptables '-j DROP' isn't usable?

2) You *do* realize that this isn't anywhere near sufficient in order
to actually make your machine "invisible", right? (Hint: What *other*
packets can be sent to a machine to provoke a response?)

3) At least my copy had massive whitespace damage, where all the tab characters
appear to have evaporated....


Attachments:
(No filename) (848.00 B)

2015-07-06 19:44:49

by Matteo Croce

[permalink] [raw]
Subject: Re: [PATCH v2] add stealth mode

2015-07-06 12:49 GMT+02:00 <[email protected]>:
> On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said:
>> Add option to disable any reply not related to a listening socket,
>> like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
>> Also disables ICMP replies to echo request and timestamp.
>> The stealth mode can be enabled selectively for a single interface.
>
> A few notes.....
>
> 1) Do you have an actual use case where an iptables '-j DROP' isn't usable?

If you mean using a default DROP policy and allowing only the traffic
do you want,
then the use case is where the port can change at runtime and you may not want
to update the firewall every time


> 2) You *do* realize that this isn't anywhere near sufficient in order
> to actually make your machine "invisible", right? (Hint: What *other*
> packets can be sent to a machine to provoke a response?)

Other than ICMP, UDP and TCP excluding open TCP/UDP ports?

> 3) At least my copy had massive whitespace damage, where all the tab characters
> appear to have evaporated....

Sorry, I was using git sendemail first, but I got a security error from gmail,
so I copied/pasted the patch in gmail which corrupted it

--
Matteo Croce
OpenWrt Developer
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
CHAOS CALMER
-----------------------------------------------------
* 1 1/2 oz Gin Shake with a glassful
* 1/4 oz Triple Sec of broken ice and pour
* 3/4 oz Lime Juice unstrained into a goblet.
* 1 1/2 oz Orange Juice
* 1 tsp. Grenadine Syrup
-----------------------------------------------------

2015-07-07 02:22:49

by David Miller

[permalink] [raw]
Subject: Re: [PATCH v2] add stealth mode

From: Matteo Croce <[email protected]>
Date: Mon, 6 Jul 2015 21:44:06 +0200

> 2015-07-06 12:49 GMT+02:00 <[email protected]>:
>> On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said:
>>> Add option to disable any reply not related to a listening socket,
>>> like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
>>> Also disables ICMP replies to echo request and timestamp.
>>> The stealth mode can be enabled selectively for a single interface.
>>
>> A few notes.....
>>
>> 1) Do you have an actual use case where an iptables '-j DROP' isn't usable?
>
> If you mean using a default DROP policy and allowing only the traffic
> do you want,
> then the use case is where the port can change at runtime and you may not want
> to update the firewall every time

Dynamically updated firewalls are "a thing" and quite effective for
solving problems like this one.

With nftables such updates are even extremely efficient.

2015-07-07 07:01:36

by Clemens Ladisch

[permalink] [raw]
Subject: Re: [PATCH v2] add stealth mode

[email protected] wrote:
> On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said:
>> Add option to disable any reply not related to a listening socket
>
> 2) You *do* realize that this isn't anywhere near sufficient in order
> to actually make your machine "invisible", right? (Hint: What *other*
> packets can be sent to a machine to provoke a response?)

Even worse: if you want to pretend that the entire machine is "not there",
you must make the router in front on you reply with an ICMP "destination
unreachable" message.


Regards,
Clemens

2015-07-07 08:08:08

by Hannes Frederic Sowa

[permalink] [raw]
Subject: Re: [PATCH v2] add stealth mode



On Mon, Jul 6, 2015, at 21:44, Matteo Croce wrote:
> 2015-07-06 12:49 GMT+02:00 <[email protected]>:
> > On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said:
> >> Add option to disable any reply not related to a listening socket,
> >> like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
> >> Also disables ICMP replies to echo request and timestamp.
> >> The stealth mode can be enabled selectively for a single interface.
> >
> > A few notes.....
> >
> > 1) Do you have an actual use case where an iptables '-j DROP' isn't usable?
>
> If you mean using a default DROP policy and allowing only the traffic
> do you want,
> then the use case is where the port can change at runtime and you may not
> want
> to update the firewall every time

Can't you use socket match in netfilter to accomplish exactly that?

2015-07-07 15:24:54

by Matteo Croce

[permalink] [raw]
Subject: Re: [PATCH v2] add stealth mode

2015-07-07 9:01 GMT+02:00 Clemens Ladisch <[email protected]>:
> [email protected] wrote:
>> On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said:
>>> Add option to disable any reply not related to a listening socket
>>
>> 2) You *do* realize that this isn't anywhere near sufficient in order
>> to actually make your machine "invisible", right? (Hint: What *other*
>> packets can be sent to a machine to provoke a response?)
>
> Even worse: if you want to pretend that the entire machine is "not there",
> you must make the router in front on you reply with an ICMP "destination
> unreachable" message.

You can't do sometimes, like in DSL lines where the router in front of
you is an ISP owned DSLAM

--
Matteo Croce
OpenWrt Developer

2015-07-07 15:29:29

by Matteo Croce

[permalink] [raw]
Subject: Re: [PATCH v2] add stealth mode

2015-07-07 10:07 GMT+02:00 Hannes Frederic Sowa <[email protected]>:
>
>
> On Mon, Jul 6, 2015, at 21:44, Matteo Croce wrote:
>> 2015-07-06 12:49 GMT+02:00 <[email protected]>:
>> > On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said:
>> >> Add option to disable any reply not related to a listening socket,
>> >> like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
>> >> Also disables ICMP replies to echo request and timestamp.
>> >> The stealth mode can be enabled selectively for a single interface.
>> >
>> > A few notes.....
>> >
>> > 1) Do you have an actual use case where an iptables '-j DROP' isn't usable?
>>
>> If you mean using a default DROP policy and allowing only the traffic
>> do you want,
>> then the use case is where the port can change at runtime and you may not
>> want
>> to update the firewall every time
>
> Can't you use socket match in netfilter to accomplish exactly that?

You mean the owner --uid match?
Yes sort of, but my was a different goal, I want just to disable any
kind of reply from a specific interface (usually WAN) unless there is
a listening socket, to mitigate port scanning and flood attacks
without having a firewall.

Obviously you can do it with a firewall,
but why do we have /proc/sys/net/ipv4/icmp_echo_ignore_all when we can
drop ICMP echoes?

--
Matteo Croce
OpenWrt Developer

2015-07-08 08:03:53

by Hannes Frederic Sowa

[permalink] [raw]
Subject: Re: [PATCH v2] add stealth mode

On Tue, 2015-07-07 at 17:27 +0200, Matteo Croce wrote:
> 2015-07-07 10:07 GMT+02:00 Hannes Frederic Sowa <
> [email protected]>:
> >
> >
> > On Mon, Jul 6, 2015, at 21:44, Matteo Croce wrote:
> > > 2015-07-06 12:49 GMT+02:00 <[email protected]>:
> > > > On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said:
> > > > > Add option to disable any reply not related to a listening
> > > > > socket,
> > > > > like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
> > > > > Also disables ICMP replies to echo request and timestamp.
> > > > > The stealth mode can be enabled selectively for a single
> > > > > interface.
> > > >
> > > > A few notes.....
> > > >
> > > > 1) Do you have an actual use case where an iptables '-j DROP'
> > > > isn't usable?
> > >
> > > If you mean using a default DROP policy and allowing only the
> > > traffic
> > > do you want,
> > > then the use case is where the port can change at runtime and you
> > > may not
> > > want
> > > to update the firewall every time
> >
> > Can't you use socket match in netfilter to accomplish exactly that?
>
> You mean the owner --uid match?
> Yes sort of, but my was a different goal, I want just to disable any
> kind of reply from a specific interface (usually WAN) unless there is
> a listening socket, to mitigate port scanning and flood attacks
> without having a firewall.

I was more thinking about the xt_socket match:

-m socket in the INPUT chain.

> Obviously you can do it with a firewall,
> but why do we have /proc/sys/net/ipv4/icmp_echo_ignore_all when we can
> drop ICMP echoes?

Same arguments apply to that knob, but it is already imported and cannot
be changed anymore. Nowadays we try to avoid adding new sysctls.

Bye,
Hannes

2015-07-08 13:33:11

by Austin S Hemmelgarn

[permalink] [raw]
Subject: Re: [PATCH v2] add stealth mode

On 2015-07-06 15:44, Matteo Croce wrote:
> 2015-07-06 12:49 GMT+02:00 <[email protected]>:
>> On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said:
>>> Add option to disable any reply not related to a listening socket,
>>> like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
>>> Also disables ICMP replies to echo request and timestamp.
>>> The stealth mode can be enabled selectively for a single interface.
>>
>> A few notes.....
>>
>> 2) You *do* realize that this isn't anywhere near sufficient in order
>> to actually make your machine "invisible", right? (Hint: What *other*
>> packets can be sent to a machine to provoke a response?)
>
> Other than ICMP, UDP and TCP excluding open TCP/UDP ports?
>
Just to name a few that I know of off the top of my head:
1. IP packets with any protocol number not supported by your current
kernel (these return a special ICMP message).
2. SCTP INIT and COOKIE_ECHO chunks when you have SCTP enabled in the
kernel.
3. Theoretically, some IGMP messages.
4. NDP messages.
5. ARP queries looking for the machine's IP addresses.
6. Certain odd flag combinations on single TCP packets (check the
documentation for Nmap for more info regarding these), which I believe
(although I may be reading the code wrong) you aren't accounting for.
7. DAD queries.
8. ICMP address mask queries (which you also don't appear to account for).

This is by no means an exhaustive list, but all of them really should be
addressed if you want to do this properly.



Attachments:
smime.p7s (2.90 kB)
S/MIME Cryptographic Signature

2015-07-12 23:14:27

by Matteo Croce

[permalink] [raw]
Subject: Re: [PATCH v2] add stealth mode

2015-07-08 15:32 GMT+02:00 Austin S Hemmelgarn <[email protected]>:
> On 2015-07-06 15:44, Matteo Croce wrote:
> Just to name a few that I know of off the top of my head:
> 1. IP packets with any protocol number not supported by your current kernel
> (these return a special ICMP message).

Right, I'll handle them

> 2. SCTP INIT and COOKIE_ECHO chunks when you have SCTP enabled in the
> kernel.

Well, I've never played with SCTP before

> 3. Theoretically, some IGMP messages.
> 4. NDP messages.
> 5. ARP queries looking for the machine's IP addresses.

Yes I know, but it's unlikely to receive this packets from WAN, right?
My flag is intended to be used mostly on WAN interfaces,
machines in LAN should be easily discoverable IMHO

> 6. Certain odd flag combinations on single TCP packets (check the
> documentation for Nmap for more info regarding these), which I believe
> (although I may be reading the code wrong) you aren't accounting for.

I've tried many TCP flags combination with hping3, NUL, SYN/ACK, ACK,
SYN/FIN, etc.
They doesn't get any response when the flag is set

> 7. DAD queries.

Never looked at this packets, are a subset of NDP?

> 8. ICMP address mask queries (which you also don't appear to account for).

It's deprecated and actually it doesn't get any response already

> This is by no means an exhaustive list, but all of them really should be
> addressed if you want to do this properly.
>
>

Thank you,
--
Matteo Croce
OpenWrt Developer
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
CHAOS CALMER
-----------------------------------------------------
* 1 1/2 oz Gin Shake with a glassful
* 1/4 oz Triple Sec of broken ice and pour
* 3/4 oz Lime Juice unstrained into a goblet.
* 1 1/2 oz Orange Juice
* 1 tsp. Grenadine Syrup
-----------------------------------------------------

2015-07-13 13:04:09

by Austin S Hemmelgarn

[permalink] [raw]
Subject: Re: [PATCH v2] add stealth mode

On 2015-07-12 19:13, Matteo Croce wrote:
> 2015-07-08 15:32 GMT+02:00 Austin S Hemmelgarn <[email protected]>:
>> On 2015-07-06 15:44, Matteo Croce wrote:
>> Just to name a few that I know of off the top of my head:
>> 1. IP packets with any protocol number not supported by your current kernel
>> (these return a special ICMP message).
>
> Right, I'll handle them
>
>> 2. SCTP INIT and COOKIE_ECHO chunks when you have SCTP enabled in the
>> kernel.
>
> Well, I've never played with SCTP before
It should still be checked, as should DCCP and RDS (those are the only
other Layer 3 protocols that I have ever actually seen people try to
scan hosts with besides TCP/UDP/SCTP). SCTP itself is not hugely
prevalent outside of some clustering uses, but it is still seen on the
internet sometimes (for example, Gentoo has optional patches for OpenSSH
to use SCTP).
>
>> 3. Theoretically, some IGMP messages.
>> 4. NDP messages.
>> 5. ARP queries looking for the machine's IP addresses.
>
> Yes I know, but it's unlikely to receive this packets from WAN, right?
> My flag is intended to be used mostly on WAN interfaces,
> machines in LAN should be easily discoverable IMHO.
In theory it's unlikely, but if you use any kind of IPv4 multicast on
the WAN you will get IGMP (and MLD for IPv6 multicast). You may also
get some NDP queries also if you are using IPv6 and your WAN is itself
behind a NAT router (and yes, there are ISP's who do that).
>
>> 6. Certain odd flag combinations on single TCP packets (check the
>> documentation for Nmap for more info regarding these), which I believe
>> (although I may be reading the code wrong) you aren't accounting for.
>
> I've tried many TCP flags combination with hping3, NUL, SYN/ACK, ACK,
> SYN/FIN, etc.
> They doesn't get any response when the flag is set
How about FIN/ACK and FIN/PSH/URG?
>
>> 7. DAD queries.
>
> Never looked at this packets, are a subset of NDP?
Kind of, it's an ICMPv6 extension for detecting if SLACC configured
address is already in use. Most distro's have support for it enabled by
default.
>> 8. ICMP address mask queries (which you also don't appear to account for).
>
> It's deprecated and actually it doesn't get any response already
Just because it's deprecated doesn't mean you shouldn't account for it,
although it does appear to get dropped by default by the kernel.

You should also test how different combinations of sysctls under
/proc/sys/net affect this (there are for example already sysctls for
ignoring certain types of ICMP packets).


Attachments:
smime.p7s (2.90 kB)
S/MIME Cryptographic Signature

2015-07-14 14:52:39

by Matteo Croce

[permalink] [raw]
Subject: Re: [PATCH v2] add stealth mode

2015-07-13 15:03 GMT+02:00 Austin S Hemmelgarn <[email protected]>:
> How about FIN/ACK and FIN/PSH/URG?

Silent:

root@debian64:~# hping3 192.168.0.2 -p 32 -FA
HPING 192.168.0.2 (eth0 192.168.0.2): AF set, 40 headers + 0 data bytes
^C
--- 192.168.0.2 hping statistic ---
3 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@debian64:~# hping3 192.168.0.2 -p 32 -FPU
HPING 192.168.0.2 (eth0 192.168.0.2): FPU set, 40 headers + 0 data bytes
^C
--- 192.168.0.2 hping statistic ---
3 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms


Matteo Croce
OpenWrt Developer
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
CHAOS CALMER
-----------------------------------------------------
* 1 1/2 oz Gin Shake with a glassful
* 1/4 oz Triple Sec of broken ice and pour
* 3/4 oz Lime Juice unstrained into a goblet.
* 1 1/2 oz Orange Juice
* 1 tsp. Grenadine Syrup
-----------------------------------------------------