From owner-freebsd-security  Thu Sep 17 05:47:06 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id FAA01127
          for freebsd-security-outgoing; Thu, 17 Sep 1998 05:47:06 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from firewall.reed.wattle.id.au (darren2.lnk.telstra.net [139.130.53.33])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA01108
          for <security@freebsd.org>; Thu, 17 Sep 1998 05:46:55 -0700 (PDT)
          (envelope-from darrenr@reed.wattle.id.au)
Received: (from root@localhost)
	by firewall.reed.wattle.id.au (8.8.7/8.8.7) id MAA08465;
	Thu, 17 Sep 1998 12:45:54 GMT
Received: from avalon.reed.wattle.id.au(192.168.1.1) by firewall.reed.wattle.id.au via smap (V1.3)
	id sma008463; Thu Sep 17 12:45:52 1998
Received: from percival.reed.wattle.id.au. (percival.reed.wattle.id.au [192.168.1.5])
	by avalon.reed.wattle.id.au (8.9.0.Beta3/8.9.0.Beta3) with SMTP id WAA03566;
	Thu, 17 Sep 1998 22:45:50 +1000 (EST)
From: Darren Reed <darrenr@reed.wattle.id.au>
Message-Id: <199809171245.WAA03566@avalon.reed.wattle.id.au>
Subject: Making "stealth" scans harder.
To: darrenr@reed.wattle.id.au (Darren Reed)
Date: Thu, 17 Sep 1998 22:45:49 +1000 (EST)
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


The below patch helps to reduce the leakage of internal socket information
when a TCP "stealth" scan is directed at a *BSD box by ensuring the window
is 0 for all RST packets generated through tcp_respond().  Patch is against
NetBSD-1.3G but should apply to others with some fuzz.

Cheers,
Darren

*** tcp_subr.c.orig	Sun Aug  2 21:16:42 1998
--- tcp_subr.c	Thu Sep 17 22:38:51 1998
***************
*** 214,220 ****
  	struct route *ro = 0;
  
  	if (tp) {
! 		win = sbspace(&tp->t_inpcb->inp_socket->so_rcv);
  		ro = &tp->t_inpcb->inp_route;
  	}
  	if (m == 0) {
--- 214,221 ----
  	struct route *ro = 0;
  
  	if (tp) {
! 		if (!(flags & TH_RST))
! 			win = sbspace(&tp->t_inpcb->inp_socket->so_rcv);
  		ro = &tp->t_inpcb->inp_route;
  	}
  	if (m == 0) {
***************
*** 247,253 ****
  	ti->ti_ack = htonl(ack);
  	ti->ti_x2 = 0;
  	if ((flags & TH_SYN) == 0) {
! 		if (tp)
  			ti->ti_win = htons((u_int16_t) (win >> tp->rcv_scale));
  		else
  			ti->ti_win = htons((u_int16_t)win);
--- 248,254 ----
  	ti->ti_ack = htonl(ack);
  	ti->ti_x2 = 0;
  	if ((flags & TH_SYN) == 0) {
! 		if (tp && !(flags & TH_RST))
  			ti->ti_win = htons((u_int16_t) (win >> tp->rcv_scale));
  		else
  			ti->ti_win = 0;

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message