Re: [PATCH v2] add stealth mode
2015-07-13 15:03 GMT+02:00 Austin S Hemmelgarn ahferro...@gmail.com: How about FIN/ACK and FIN/PSH/URG? Silent: root@debian64:~# hping3 192.168.0.2 -p 32 -FA HPING 192.168.0.2 (eth0 192.168.0.2): AF set, 40 headers + 0 data bytes ^C --- 192.168.0.2 hping statistic --- 3 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms root@debian64:~# hping3 192.168.0.2 -p 32 -FPU HPING 192.168.0.2 (eth0 192.168.0.2): FPU set, 40 headers + 0 data bytes ^C --- 192.168.0.2 hping statistic --- 3 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms Matteo Croce OpenWrt Developer ___ __ | |.-.-.-.| | | |..| |_ | - || _ | -__| || | | || _|| _| |___|| __|_|__|__||||__| || |__| W I R E L E S S F R E E D O M - CHAOS CALMER - * 1 1/2 oz GinShake with a glassful * 1/4 oz Triple Sec of broken ice and pour * 3/4 oz Lime Juice unstrained into a goblet. * 1 1/2 oz Orange Juice * 1 tsp. Grenadine Syrup - -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] add stealth mode
On 2015-07-12 19:13, Matteo Croce wrote: 2015-07-08 15:32 GMT+02:00 Austin S Hemmelgarn ahferro...@gmail.com: On 2015-07-06 15:44, Matteo Croce wrote: Just to name a few that I know of off the top of my head: 1. IP packets with any protocol number not supported by your current kernel (these return a special ICMP message). Right, I'll handle them 2. SCTP INIT and COOKIE_ECHO chunks when you have SCTP enabled in the kernel. Well, I've never played with SCTP before It should still be checked, as should DCCP and RDS (those are the only other Layer 3 protocols that I have ever actually seen people try to scan hosts with besides TCP/UDP/SCTP). SCTP itself is not hugely prevalent outside of some clustering uses, but it is still seen on the internet sometimes (for example, Gentoo has optional patches for OpenSSH to use SCTP). 3. Theoretically, some IGMP messages. 4. NDP messages. 5. ARP queries looking for the machine's IP addresses. Yes I know, but it's unlikely to receive this packets from WAN, right? My flag is intended to be used mostly on WAN interfaces, machines in LAN should be easily discoverable IMHO. In theory it's unlikely, but if you use any kind of IPv4 multicast on the WAN you will get IGMP (and MLD for IPv6 multicast). You may also get some NDP queries also if you are using IPv6 and your WAN is itself behind a NAT router (and yes, there are ISP's who do that). 6. Certain odd flag combinations on single TCP packets (check the documentation for Nmap for more info regarding these), which I believe (although I may be reading the code wrong) you aren't accounting for. I've tried many TCP flags combination with hping3, NUL, SYN/ACK, ACK, SYN/FIN, etc. They doesn't get any response when the flag is set How about FIN/ACK and FIN/PSH/URG? 7. DAD queries. Never looked at this packets, are a subset of NDP? Kind of, it's an ICMPv6 extension for detecting if SLACC configured address is already in use. Most distro's have support for it enabled by default. 8. ICMP address mask queries (which you also don't appear to account for). It's deprecated and actually it doesn't get any response already Just because it's deprecated doesn't mean you shouldn't account for it, although it does appear to get dropped by default by the kernel. You should also test how different combinations of sysctls under /proc/sys/net affect this (there are for example already sysctls for ignoring certain types of ICMP packets). smime.p7s Description: S/MIME Cryptographic Signature
Re: [PATCH v2] add stealth mode
2015-07-08 15:32 GMT+02:00 Austin S Hemmelgarn ahferro...@gmail.com: On 2015-07-06 15:44, Matteo Croce wrote: Just to name a few that I know of off the top of my head: 1. IP packets with any protocol number not supported by your current kernel (these return a special ICMP message). Right, I'll handle them 2. SCTP INIT and COOKIE_ECHO chunks when you have SCTP enabled in the kernel. Well, I've never played with SCTP before 3. Theoretically, some IGMP messages. 4. NDP messages. 5. ARP queries looking for the machine's IP addresses. Yes I know, but it's unlikely to receive this packets from WAN, right? My flag is intended to be used mostly on WAN interfaces, machines in LAN should be easily discoverable IMHO 6. Certain odd flag combinations on single TCP packets (check the documentation for Nmap for more info regarding these), which I believe (although I may be reading the code wrong) you aren't accounting for. I've tried many TCP flags combination with hping3, NUL, SYN/ACK, ACK, SYN/FIN, etc. They doesn't get any response when the flag is set 7. DAD queries. Never looked at this packets, are a subset of NDP? 8. ICMP address mask queries (which you also don't appear to account for). It's deprecated and actually it doesn't get any response already This is by no means an exhaustive list, but all of them really should be addressed if you want to do this properly. Thank you, -- Matteo Croce OpenWrt Developer ___ __ | |.-.-.-.| | | |..| |_ | - || _ | -__| || | | || _|| _| |___|| __|_|__|__||||__| || |__| W I R E L E S S F R E E D O M - CHAOS CALMER - * 1 1/2 oz GinShake with a glassful * 1/4 oz Triple Sec of broken ice and pour * 3/4 oz Lime Juice unstrained into a goblet. * 1 1/2 oz Orange Juice * 1 tsp. Grenadine Syrup - -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] add stealth mode
On Tue, 2015-07-07 at 17:27 +0200, Matteo Croce wrote: 2015-07-07 10:07 GMT+02:00 Hannes Frederic Sowa han...@stressinduktion.org: On Mon, Jul 6, 2015, at 21:44, Matteo Croce wrote: 2015-07-06 12:49 GMT+02:00 valdis.kletni...@vt.edu: On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said: Add option to disable any reply not related to a listening socket, like RST/ACK for TCP and ICMP Port-Unreachable for UDP. Also disables ICMP replies to echo request and timestamp. The stealth mode can be enabled selectively for a single interface. A few notes. 1) Do you have an actual use case where an iptables '-j DROP' isn't usable? If you mean using a default DROP policy and allowing only the traffic do you want, then the use case is where the port can change at runtime and you may not want to update the firewall every time Can't you use socket match in netfilter to accomplish exactly that? You mean the owner --uid match? Yes sort of, but my was a different goal, I want just to disable any kind of reply from a specific interface (usually WAN) unless there is a listening socket, to mitigate port scanning and flood attacks without having a firewall. I was more thinking about the xt_socket match: -m socket in the INPUT chain. Obviously you can do it with a firewall, but why do we have /proc/sys/net/ipv4/icmp_echo_ignore_all when we can drop ICMP echoes? Same arguments apply to that knob, but it is already imported and cannot be changed anymore. Nowadays we try to avoid adding new sysctls. Bye, Hannes -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] add stealth mode
On 2015-07-06 15:44, Matteo Croce wrote: 2015-07-06 12:49 GMT+02:00 valdis.kletni...@vt.edu: On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said: Add option to disable any reply not related to a listening socket, like RST/ACK for TCP and ICMP Port-Unreachable for UDP. Also disables ICMP replies to echo request and timestamp. The stealth mode can be enabled selectively for a single interface. A few notes. 2) You *do* realize that this isn't anywhere near sufficient in order to actually make your machine invisible, right? (Hint: What *other* packets can be sent to a machine to provoke a response?) Other than ICMP, UDP and TCP excluding open TCP/UDP ports? Just to name a few that I know of off the top of my head: 1. IP packets with any protocol number not supported by your current kernel (these return a special ICMP message). 2. SCTP INIT and COOKIE_ECHO chunks when you have SCTP enabled in the kernel. 3. Theoretically, some IGMP messages. 4. NDP messages. 5. ARP queries looking for the machine's IP addresses. 6. Certain odd flag combinations on single TCP packets (check the documentation for Nmap for more info regarding these), which I believe (although I may be reading the code wrong) you aren't accounting for. 7. DAD queries. 8. ICMP address mask queries (which you also don't appear to account for). This is by no means an exhaustive list, but all of them really should be addressed if you want to do this properly. smime.p7s Description: S/MIME Cryptographic Signature
Re: [PATCH v2] add stealth mode
valdis.kletni...@vt.edu wrote: On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said: Add option to disable any reply not related to a listening socket 2) You *do* realize that this isn't anywhere near sufficient in order to actually make your machine invisible, right? (Hint: What *other* packets can be sent to a machine to provoke a response?) Even worse: if you want to pretend that the entire machine is not there, you must make the router in front on you reply with an ICMP destination unreachable message. Regards, Clemens -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] add stealth mode
On Mon, Jul 6, 2015, at 21:44, Matteo Croce wrote: 2015-07-06 12:49 GMT+02:00 valdis.kletni...@vt.edu: On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said: Add option to disable any reply not related to a listening socket, like RST/ACK for TCP and ICMP Port-Unreachable for UDP. Also disables ICMP replies to echo request and timestamp. The stealth mode can be enabled selectively for a single interface. A few notes. 1) Do you have an actual use case where an iptables '-j DROP' isn't usable? If you mean using a default DROP policy and allowing only the traffic do you want, then the use case is where the port can change at runtime and you may not want to update the firewall every time Can't you use socket match in netfilter to accomplish exactly that? -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] add stealth mode
2015-07-07 9:01 GMT+02:00 Clemens Ladisch clem...@ladisch.de: valdis.kletni...@vt.edu wrote: On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said: Add option to disable any reply not related to a listening socket 2) You *do* realize that this isn't anywhere near sufficient in order to actually make your machine invisible, right? (Hint: What *other* packets can be sent to a machine to provoke a response?) Even worse: if you want to pretend that the entire machine is not there, you must make the router in front on you reply with an ICMP destination unreachable message. You can't do sometimes, like in DSL lines where the router in front of you is an ISP owned DSLAM -- Matteo Croce OpenWrt Developer -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] add stealth mode
2015-07-07 10:07 GMT+02:00 Hannes Frederic Sowa han...@stressinduktion.org: On Mon, Jul 6, 2015, at 21:44, Matteo Croce wrote: 2015-07-06 12:49 GMT+02:00 valdis.kletni...@vt.edu: On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said: Add option to disable any reply not related to a listening socket, like RST/ACK for TCP and ICMP Port-Unreachable for UDP. Also disables ICMP replies to echo request and timestamp. The stealth mode can be enabled selectively for a single interface. A few notes. 1) Do you have an actual use case where an iptables '-j DROP' isn't usable? If you mean using a default DROP policy and allowing only the traffic do you want, then the use case is where the port can change at runtime and you may not want to update the firewall every time Can't you use socket match in netfilter to accomplish exactly that? You mean the owner --uid match? Yes sort of, but my was a different goal, I want just to disable any kind of reply from a specific interface (usually WAN) unless there is a listening socket, to mitigate port scanning and flood attacks without having a firewall. Obviously you can do it with a firewall, but why do we have /proc/sys/net/ipv4/icmp_echo_ignore_all when we can drop ICMP echoes? -- Matteo Croce OpenWrt Developer -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] add stealth mode
On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said: Add option to disable any reply not related to a listening socket, like RST/ACK for TCP and ICMP Port-Unreachable for UDP. Also disables ICMP replies to echo request and timestamp. The stealth mode can be enabled selectively for a single interface. A few notes. 1) Do you have an actual use case where an iptables '-j DROP' isn't usable? 2) You *do* realize that this isn't anywhere near sufficient in order to actually make your machine invisible, right? (Hint: What *other* packets can be sent to a machine to provoke a response?) 3) At least my copy had massive whitespace damage, where all the tab characters appear to have evaporated pgpbjzUxX6FGO.pgp Description: PGP signature
Re: [PATCH v2] add stealth mode
2015-07-06 12:49 GMT+02:00 valdis.kletni...@vt.edu: On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said: Add option to disable any reply not related to a listening socket, like RST/ACK for TCP and ICMP Port-Unreachable for UDP. Also disables ICMP replies to echo request and timestamp. The stealth mode can be enabled selectively for a single interface. A few notes. 1) Do you have an actual use case where an iptables '-j DROP' isn't usable? If you mean using a default DROP policy and allowing only the traffic do you want, then the use case is where the port can change at runtime and you may not want to update the firewall every time 2) You *do* realize that this isn't anywhere near sufficient in order to actually make your machine invisible, right? (Hint: What *other* packets can be sent to a machine to provoke a response?) Other than ICMP, UDP and TCP excluding open TCP/UDP ports? 3) At least my copy had massive whitespace damage, where all the tab characters appear to have evaporated Sorry, I was using git sendemail first, but I got a security error from gmail, so I copied/pasted the patch in gmail which corrupted it -- Matteo Croce OpenWrt Developer ___ __ | |.-.-.-.| | | |..| |_ | - || _ | -__| || | | || _|| _| |___|| __|_|__|__||||__| || |__| W I R E L E S S F R E E D O M - CHAOS CALMER - * 1 1/2 oz GinShake with a glassful * 1/4 oz Triple Sec of broken ice and pour * 3/4 oz Lime Juice unstrained into a goblet. * 1 1/2 oz Orange Juice * 1 tsp. Grenadine Syrup - -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] add stealth mode
From: Matteo Croce mat...@openwrt.org Date: Mon, 6 Jul 2015 21:44:06 +0200 2015-07-06 12:49 GMT+02:00 valdis.kletni...@vt.edu: On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said: Add option to disable any reply not related to a listening socket, like RST/ACK for TCP and ICMP Port-Unreachable for UDP. Also disables ICMP replies to echo request and timestamp. The stealth mode can be enabled selectively for a single interface. A few notes. 1) Do you have an actual use case where an iptables '-j DROP' isn't usable? If you mean using a default DROP policy and allowing only the traffic do you want, then the use case is where the port can change at runtime and you may not want to update the firewall every time Dynamically updated firewalls are a thing and quite effective for solving problems like this one. With nftables such updates are even extremely efficient. -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] add stealth mode
Add option to disable any reply not related to a listening socket,
like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
Also disables ICMP replies to echo request and timestamp.
The stealth mode can be enabled selectively for a single interface.
Signed-off-by: Matteo Croce mat...@openwrt.org
---
check the patch with checkpatch.pl and add documentation in ip-sysctl.txt
Documentation/networking/ip-sysctl.txt | 12
include/linux/inetdevice.h | 1 +
include/linux/ipv6.h | 1 +
include/uapi/linux/ip.h| 1 +
net/ipv4/devinet.c | 1 +
net/ipv4/icmp.c| 6 ++
net/ipv4/tcp_ipv4.c| 3 ++-
net/ipv4/udp.c | 4 +++-
net/ipv6/addrconf.c| 7 +++
net/ipv6/icmp.c| 3 ++-
net/ipv6/tcp_ipv6.c| 2 +-
net/ipv6/udp.c | 3 ++-
12 files changed, 39 insertions(+), 5 deletions(-)
diff --git a/Documentation/networking/ip-sysctl.txt
b/Documentation/networking/ip-sysctl.txt
index 5fae770..9eed021 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1181,6 +1181,12 @@ tag - INTEGER
Allows you to write a number, which can be used as required.
Default value is 0.
+stealth - BOOLEAN
+ Disable any reply not related to a listening socket,
+ like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
+ Also disables ICMP replies to echo requests and timestamp.
+ Default value is 0.
+
Alexey Kuznetsov.
kuz...@ms2.inr.ac.ru
@@ -1584,6 +1590,12 @@ stable_secret - IPv6 address
By default the stable secret is unset.
+stealth - BOOLEAN
+ Disable any reply not related to a listening socket,
+ like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
+ Also disables ICMPv6 replies to echo requests.
+ Default value is 0.
+
icmp/*:
ratelimit - INTEGER
Limit the maximal rates for sending ICMPv6 packets.
diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
index a4328ce..a64c01e 100644
--- a/include/linux/inetdevice.h
+++ b/include/linux/inetdevice.h
@@ -128,6 +128,7 @@ static inline void ipv4_devconf_setall(struct
in_device *in_dev)
#define IN_DEV_ARP_ANNOUNCE(in_dev) IN_DEV_MAXCONF((in_dev), ARP_ANNOUNCE)
#define IN_DEV_ARP_IGNORE(in_dev) IN_DEV_MAXCONF((in_dev), ARP_IGNORE)
#define IN_DEV_ARP_NOTIFY(in_dev) IN_DEV_MAXCONF((in_dev), ARP_NOTIFY)
+#define IN_DEV_STEALTH(in_dev) IN_DEV_MAXCONF((in_dev), STEALTH)
struct in_ifaddr {
struct hlist_node hash;
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index 82806c6..49494ec 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -53,6 +53,7 @@ struct ipv6_devconf {
__s32 ndisc_notify;
__s32 suppress_frag_ndisc;
__s32 accept_ra_mtu;
+ __s32 stealth;
struct ipv6_stable_secret {
bool initialized;
struct in6_addr secret;
diff --git a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
index 08f894d..4acbf99 100644
--- a/include/uapi/linux/ip.h
+++ b/include/uapi/linux/ip.h
@@ -165,6 +165,7 @@ enum
IPV4_DEVCONF_IGMPV2_UNSOLICITED_REPORT_INTERVAL,
IPV4_DEVCONF_IGMPV3_UNSOLICITED_REPORT_INTERVAL,
IPV4_DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN,
+ IPV4_DEVCONF_STEALTH,
__IPV4_DEVCONF_MAX
};
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 7498716..6b9930a 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -2178,6 +2178,7 @@ static struct devinet_sysctl_table {
promote_secondaries),
DEVINET_SYSCTL_FLUSHING_ENTRY(ROUTE_LOCALNET,
route_localnet),
+ DEVINET_SYSCTL_RW_ENTRY(STEALTH, stealth),
},
};
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index f5203fb..e8e71fb 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -882,6 +882,9 @@ static bool icmp_echo(struct sk_buff *skb)
{
struct net *net;
+ if (IN_DEV_STEALTH(skb-dev-ip_ptr))
+ return true;
+
net = dev_net(skb_dst(skb)-dev);
if (!net-ipv4.sysctl_icmp_echo_ignore_all) {
struct icmp_bxm icmp_param;
@@ -915,6 +918,9 @@ static bool icmp_timestamp(struct sk_buff *skb)
if (skb-len 4)
goto out_err;
+ if (IN_DEV_STEALTH(skb-dev-ip_ptr))
+ return true;
+
/*
* Fill in the current time as ms since midnight UT:
*/
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index d7d4c2b..6f3e6e9 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -77,6 +77,7 @@
#include net/busy_poll.h
#include linux/inet.h
+#include linux/inetdevice.h
#include linux/ipv6.h
#include linux/stddef.h
#include linux/proc_fs.h
@@ -1652,7 +1653,7 @@ csum_error:
TCP_INC_STATS_BH(net, TCP_MIB_CSUMERRORS);
bad_packet:
TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
- } else {
+ } else if (!IN_DEV_STEALTH(skb-dev-ip_ptr)) {
tcp_v4_send_reset(NULL, skb);
}
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 83aa604..780069d 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -96,6 +96,7 @@
#include linux/timer.h
#include linux/mm.h
#include
