Exploits (and how to defend against them):

What Are Exploits?

    By exploits, I am talking about remote network stack hacking.  PCFlank's exploits page lists several of them, how they work, etc.  Most of what will describe will show how to configure linux iptables firewalls to block such traffic.  My tendency is to block the traffic that should not exist on the network rather than get very intensive with configuring iptables.  As a configuration gets more complex, finding problems with it can become more difficult.

Why Should I Care?

    You will always be attacked while on the internet by various automated evil entitites such as worms and viruses.  No one is immune, because these automated viruses are not looking for someone "worthy" of their time: they attack indiscriminantly.  You would do good to learn how to keep your system safe.

What Are Stealthed Ports?


    Per the RFC standard for TCP and IP, i.e. "the way things should work", your computer should respond to all traffic that it does not want with more traffic, basically a packet that says "no thanks" (an RST packet).  However, due to the high amounts of traffic volume that the internet has grown to accomodate, the proliferation of high speed accounts, and the high amount of "garbage" traffic due to worms and other malicious entities, responding to all these requests can tie up some of your bandwidth.  A new thing is to not reply, or set iptables to "DROP" all this stuff.  These have somehow become "mandatory" as a security practice, when in reality they do little, if anything, to keep you more safe on the internet.  Any machine connected to the internet will have an IP address, and virtually all machines connected to the internet will have TCP/UDP and IP protocols available for use.  Stealth ports aren't going to keep you from going undetected.  They will merely help you free up your machine.

The Exploits

    So far as I can tell, these seem to fall into three categories.  There are those that take advantage of fragmented packets being improperly or incorrectly reassembled, protocols that are unsafe, and packets that should not exist but that your computer may not know how to properly respond to.  I'm going to list these.

Defending Against Unsafe Protocols

    While most protocols are safe, IGMP has come to light recently as being rather unsafe.  It is mainly used for multicasting, but is not absolutely necessary for multicasting or for almost anything else.  With the sheer number of exploits that use it, I simply block it:

iptables -A INPUT -p igmp -j DROP

Defending Against Fragmented Packets

    Fragmented packets themselves are not a problem, but certain protocols, mainly IGMP and ICMP, can fit into very small packets, and should not ever need to be fragmented.  So basically, seeing one of these being fragmented is a sign that something malicious is going on, so I block them outright:

iptables -A INPUT -p icmp -f -j DROP

Defending Against Improper TCP Flags And Other Nonsense

    TCP functions with flags inside the packet that give details as to how to interpret what the packets are for.  However, some malicious entities like to mix the flags improperly in the packets to see how the machine will respond if it receives such a packet.  You can simply drop the combinations that "should not exist" like this:

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

This will drop most of these improper combinations.
    Also, when a tcp packet is sent to a host machine, normally the first packet is supposed to be flagged with the SYN flag, i.e. "may i open a connection to this port?".  Either the receiving machine allows the connection by replying with a packet with the ACK flag (acknowledge, i.e. "yes") or with RST (reset, i.e. "no").  Seeing incoming tcp packets that are new but do not have the SYN flag is another method you can use to filter out bad packets, like this:

iptables -A INPUT -p tcp -m state --state NEW ! --syn -j DROP

Further Reading

    This page isn't meant to be advanced, but more for the casual linux home user, or someone using windows that has a firewall that can be manually configured similar to the parameters above.  Here is some more reading:

Valid HTML 4.01 Strict