Jan Engelhardt wrote:
On Tuesday 2008-05-27 17:12, Nicolas Bareil wrote:
I developped a Netfilter module which performs packet normalization, the
"scrubbing" feature of OpenBSD[1]. Normalized trafic offers the
following possibilities :
I seem to remember that Linux's TCP or nf_conntrack already does
some scrubbing.
No, unless you're refering to the unwanted side-effects from
defragmentation and refragmentation for IPv4. I also don't
want to include something like this in netfilter, NAT is
already bad enough and the threats it *might* protect against
seem a bit vague. Better throw your broken IDS out if can
be fooled by changing TTLs.
I don't want to sound too discouraging though, I have no problem
adding it to the pom-ng sources.list.
The current patch achieves the following transformations :
* IPv4
- Random IP ID
- Zeroify ToS
Zeroify? Clearing the TOS is probably not a good idea because
it defeats packet scheduling (if it uses TOS).
Well .. ToS is only useful within your own administrative
boundaries anyways, I've seen quite a few ISPs overwriting
it during transit.
- TTL normalization
* TCP
- Random TCP Sequence
I wonder if Linux already has this.
For forwarded traffic? No.
- TCP Options
- Random Timestamp
Is this even RFC compatible?
I assume its a random offset per connection, but still, no.
You can also still distinguish different hosts by their clock
rates.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
