[PATCH] Unused bit check to Unclean module

Wed, 12 Jun 2002 06:38:59 -0700 

Hello,

as suggested by Jozsef, i moved my IP unused bit check to the Unclean
module.

Here is the patch to netfilter root directory.

Regards,
Maciej Soltysiak


diff -urN netfilter/userspace/patch-o-matic/base/ipt_unclean-ubit.patch.help 
mynetfilter/userspace/patch-o-matic/base/ipt_unclean-ubit.patch.help
--- netfilter/userspace/patch-o-matic/base/ipt_unclean-ubit.patch.help  Thu Jan  1 
01:00:00 1970
+++ mynetfilter/userspace/patch-o-matic/base/ipt_unclean-ubit.patch.help        Tue 
+Jun 11 18:30:19 2002
@@ -0,0 +1,32 @@
+Author: Maciej Soltysiak <[EMAIL PROTECTED]>
+Status: Works for me
+
+This patch extends unclean's module to match packets with IP unused bit
+set.  This bit is the first bit in fragmentation offset of the IP header.
+The offset contains 2 fields:
+  3 bit fragmentation flags
+ 13 bit fragmentation offset
+
+Exerpt from RFC 791:
+
+ Flags:  3 bits
+
+    Various Control Flags.
+
+      Bit 0: reserved, must be zero
+      Bit 1: (DF) 0 = May Fragment,  1 = Don't Fragment.
+      Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments.
+
+          0   1   2
+        +---+---+---+
+        |   | D | M |
+        | 0 | F | F |
+        +---+---+---+
+
+
+This adds what i see as a security feature to the unclean match, as the bit
+may be used in very discrete OS fingerprinting as described by Ofir Arkin
+in "Unverified Fields - A Problem with Firewalls & Firewall Technology
+Today" available to read at:
+http://www.sys-security.com/archive/papers/Unverified_Fields_1.0.pdf
+http://www.sys-security.com/archive/papers/Unverified_Fields_1.0.ps
diff -urN netfilter/userspace/patch-o-matic/base/ipt_unclean-ubit.patch~ 
mynetfilter/userspace/patch-o-matic/base/ipt_unclean-ubit.patch~
--- netfilter/userspace/patch-o-matic/base/ipt_unclean-ubit.patch~      Thu Jan  1 
01:00:00 1970
+++ mynetfilter/userspace/patch-o-matic/base/ipt_unclean-ubit.patch~    Tue Jun 11 
+19:10:20 2002
@@ -0,0 +1,20 @@
+diff -Nru mylinux/net/ipv4/netfilter/ipt_unclean.c 
+linux/net/ipv4/netfilter/ipt_unclean.c
+--- mylinux/net/ipv4/netfilter/ipt_unclean.c   Thu Jan  1 01:00:00 1970
++++ linux/net/ipv4/netfilter/ipt_unclean.c     Tue Jun  4 13:35:34 2002
+@@ -522,6 +522,12 @@
+               return 0;
+       }
+ 
++      /* CHECK: Do not use what is unused.
++       * First bit of fragmentation flags should be unused.
++       * May be used by OS fingerprinting tools.
++       * 04 Jun 2002, Maciej Soltysiak, [EMAIL PROTECTED]
++       */
++      if (ntohs(iph->frag_off)>>15) {
++              limpk("IP unused bit set\n");
++              return 0;
++      }
++
+       /* Per-protocol checks. */
+       switch (iph->protocol) {
+       case IPPROTO_ICMP:

Reply via email to