mihi at gmx
Aug 30, 2001, 3:50 PM
Post #1 of 2
(76 views)
Permalink
|
hey guys
I missed a feature provided by the grsecurity-patch: the Random TTL. For some
paranoid geeks this is a good patch. netfilter TTL target had no option to set
a random TTL so i added one. the option is --ttl-rnd <value> where value is the
minimum ttl possible.
mihi [at] tibi:~$ more ipt_TTL-rand.patch
--- netfilter/userspace/extensions/libipt_TTL.c Fri Aug 31 00:29:21 2001
+++ netfilter/userspace/extensions/libipt_TTL-rand.c Fri Aug 31 00:00:41 2001
@@ -27,6 +27,7 @@
" --ttl-set value Set TTL to <value>\n"
" --ttl-dec value Decrement TTL by <value>\n"
" --ttl-inc value Increment TTL by <value>\n"
+" --ttl-rnd value Set TTL to Random+value\n"
, NETFILTER_VERSION);
}
@@ -75,6 +76,9 @@
info->mode = IPT_TTL_INC;
break;
+ case '4':
+ info->mode = IPT_TTL_RND;
+ break;
default:
return 0;
@@ -111,6 +115,9 @@
case IPT_TTL_INC:
printf("--ttl-inc ");
break;
+ case IPT_TTL_RND:
+ printf("--ttl-rnd ");
+ break;
}
printf("%u ", info->ttl);
}
@@ -132,6 +139,9 @@
case IPT_TTL_INC:
printf("increment by ");
break;
+ case IPT_TTL_RND:
+ printf("set to random ");
+ break;
}
printf("%u ", info->ttl);
}
@@ -140,6 +150,7 @@
{ "ttl-set", 1, 0, '1' },
{ "ttl-dec", 1, 0, '2' },
{ "ttl-inc", 1, 0, '3' },
+ { "ttl-rnd", 1, 0, '4' },
{ 0 }
};
@@ -162,3 +173,8 @@
{
register_target(&TTL);
}
+
+
+
+
+
--- ../linux/include/linux/netfilter_ipv4/ipt_TTL.h Fri Aug 31 00:28:36 2001
+++ ../linux/include/linux/netfilter_ipv4/ipt_TTL-rand.h Thu Aug 30 23:37
:02 2001
@@ -7,10 +7,11 @@
enum {
IPT_TTL_SET = 0,
IPT_TTL_INC,
- IPT_TTL_DEC
+ IPT_TTL_DEC,
+ IPT_TTL_RND
};
-#define IPT_TTL_MAXMODE IPT_TTL_DEC
+#define IPT_TTL_MAXMODE IPT_TTL_RND
struct ipt_TTL_info {
u_int8_t mode;
--- ../linux/net/ipv4/netfilter/ipt_TTL.c Fri Aug 31 00:28:07 2001
+++ ../linux/net/ipv4/netfilter/ipt_TTL-rand.c Thu Aug 30 23:09:34 2001
@@ -13,6 +13,7 @@
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_TTL.h>
+#include <linux/random.h>
MODULE_AUTHOR("Harald Welte <laforge [at] gnumonks>");
MODULE_DESCRIPTION("IP tables TTL modification module");
@@ -23,6 +24,7 @@
{
struct iphdr *iph = (*pskb)->nh.iph;
const struct ipt_TTL_info *info = targinfo;
+ unsigned char j;
switch (info->mode) {
case IPT_TTL_SET:
@@ -43,6 +45,13 @@
else
iph->ttl -= info->ttl;
break;
+ case IPT_TTL_RND:
+ j=255;
+ while ((j+info->ttl)>255){
+ get_random_bytes(&j,1);};
+ iph->ttl=info->ttl + j;
+ break;
+
}
/* probably FIXME: in case we didn't change anything, don't do
---end-patch
I hope i did not make (too m)any mistakes, and that some geeks may find that
usefull..
this patch is also availible on
http://unet.univie.ac.at/~a9900470/ipt_TTL-rand.patch
greets mihi
--
:wq
PGP/GPG key @ http://unet.univie.ac.at/~a9900470/mihi.asc
|
