/* * Name: ANTi SP00FiNG VIA SETSOCKOPT() ( fbsdnospoof.c ) * Date: Fri Feb 18 14:45:01 2000 * Author: pIGpEN [pigpen@s0ftpj.org, deadhead@sikurezza.org] * * SoftProject Digital Security for Y2K (www.s0ftpj.org) * Sikurezza.org Italian Security MailingList (www.sikurezza.org) * * COFFEE-WARE LICENSE - This source code is like "THE BEER-WARE LICENSE" by * Poul-Henning Kamp but you can give me in return a coffee. * * Tested on: FreeBSD 4.0-19990705-CURRENT FreeBSD 4.0-19990705-CURRENT #6 i386 * FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE #0: Tue Dec i386 * * Thanks to: del0rean / s0ftPj for cd with 3.4 release * Lynyrd Skynyrd for Sweet Home Alabama * * Use a kld Makefile.. ( put in append ) */ /* * This kld detects type of ip spoofing based on setsockopt()... with IP_HDRINCL * It works monitoring setsockopt() system call * * example of detection: * * ./DoS -s 666.666.666.666 -d 192.168.1.4 * IP_HDRINCL: Invalid argument * * syslog: * * Feb 18 14:44:25 storpio /kernel: Detect IP_HDRINCL invoked by d0s * Feb 18 14:44:25 storpio /kernel: IP header manipulation... DENIED! * */ /* * Define DONT_PERMIT -> if you want to forbid IP header manipulation * and so the chance of IP Spoofing from your * BOX */ #define DONT_PERMIT #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* IP_HDRINCL */ static int my_setsockopt __P((struct proc *, register struct setsockopt_args *)); static int my_setsockopt(p, uap) struct proc *p; register struct setsockopt_args *uap; { struct file *fp; struct sockopt sopt; int error; if (uap->val == 0 && uap->valsize != 0) return (EFAULT); if (uap->valsize < 0) return (EINVAL); error = getsock(p->p_fd, uap->s, &fp); if (error) return (error); if((uap->level == IPPROTO_IP) && (uap->name == IP_HDRINCL)) { log(LOG_INFO, "Detect IP_HDRINCL invoked by %s\n", p->p_comm); #ifdef DONT_PERMIT log(LOG_INFO, "IP header manipulation... DENIED!\n"); return (EINVAL); #endif } sopt.sopt_dir = SOPT_SET; sopt.sopt_level = uap->level; sopt.sopt_name = uap->name; sopt.sopt_val = uap->val; sopt.sopt_valsize = uap->valsize; sopt.sopt_p = p; return (sosetopt((struct socket *)fp->f_data, &sopt)); } static int module_handler(module_t mod, int cmd, void *arg) { switch(cmd) { case MOD_LOAD: sysent[SYS_setsockopt].sy_call = (sy_call_t *) my_setsockopt; break; case MOD_UNLOAD: sysent[SYS_setsockopt].sy_call = (sy_call_t *) setsockopt; break; } return 0; } static moduledata_t SetSock = { "SetSockOpt", module_handler, NULL }; DECLARE_MODULE(SetSockOpt, SetSock, SI_SUB_DRIVERS, SI_ORDER_MIDDLE); /* Makefile for this kld... # SoftProject 2000 - Digital Sekurity for Y2k # Sikurezza.org - Italian Security MailingList # # COFFEE-WARE LICENSE - This source code is like "THE BEER-WARE LICENSE" by # Poul-Henning Kamp but you can give me in return a coffee. # # Tested on: FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE #3: Thu Mar i386 # < pigpen@s0ftpj.org > .PATH: /sys/kern SRCS = fbsdnospoof.c CFLAGS+= -I/sys KMOD = nospoof NOMAN = t KLDMOD = t KLDLOAD = /sbin/kldload KLDUNLOAD = /sbin/kldunload CLEANFILES+= ${KMOD} load: ${KLDLOAD} -v ./${KMOD} unload: ${KLDUNLOAD} -v -n ${KMOD} .include */