From: Austin S Hemmelgarn <ahferroin7@gmail.com>
To: Matteo Croce <matteo@openwrt.org>, Valdis.Kletnieks@vt.edu
Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] add stealth mode
Date: Wed, 08 Jul 2015 09:32:56 -0400 [thread overview]
Message-ID: <559D2688.5020302@gmail.com> (raw)
In-Reply-To: <CAFnufp3xP3xjd8zy0uLKEGgbBAb0motLva=f1EbMJCfcKG=Y-w@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1536 bytes --]
On 2015-07-06 15:44, Matteo Croce wrote:
> 2015-07-06 12:49 GMT+02:00 <Valdis.Kletnieks@vt.edu>:
>> On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said:
>>> Add option to disable any reply not related to a listening socket,
>>> like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
>>> Also disables ICMP replies to echo request and timestamp.
>>> The stealth mode can be enabled selectively for a single interface.
>>
>> A few notes.....
>>
>> 2) You *do* realize that this isn't anywhere near sufficient in order
>> to actually make your machine "invisible", right? (Hint: What *other*
>> packets can be sent to a machine to provoke a response?)
>
> Other than ICMP, UDP and TCP excluding open TCP/UDP ports?
>
Just to name a few that I know of off the top of my head:
1. IP packets with any protocol number not supported by your current
kernel (these return a special ICMP message).
2. SCTP INIT and COOKIE_ECHO chunks when you have SCTP enabled in the
kernel.
3. Theoretically, some IGMP messages.
4. NDP messages.
5. ARP queries looking for the machine's IP addresses.
6. Certain odd flag combinations on single TCP packets (check the
documentation for Nmap for more info regarding these), which I believe
(although I may be reading the code wrong) you aren't accounting for.
7. DAD queries.
8. ICMP address mask queries (which you also don't appear to account for).
This is by no means an exhaustive list, but all of them really should be
addressed if you want to do this properly.
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 2967 bytes --]
next prev parent reply other threads:[~2015-07-08 13:32 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-02 8:56 [PATCH v2] add stealth mode Matteo Croce
2015-07-06 10:49 ` Valdis.Kletnieks
2015-07-06 19:44 ` Matteo Croce
2015-07-07 2:34 ` David Miller
2015-07-07 8:07 ` Hannes Frederic Sowa
2015-07-07 15:27 ` Matteo Croce
2015-07-08 8:02 ` Hannes Frederic Sowa
2015-07-08 13:32 ` Austin S Hemmelgarn [this message]
2015-07-12 23:13 ` Matteo Croce
2015-07-13 13:03 ` Austin S Hemmelgarn
2015-07-14 14:51 ` Matteo Croce
2015-07-07 7:01 ` Clemens Ladisch
2015-07-07 15:24 ` Matteo Croce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=559D2688.5020302@gmail.com \
--to=ahferroin7@gmail.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=matteo@openwrt.org \
--cc=netdev@vger.kernel.org \
--cc=nicolas.dichtel@6wind.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).