Re: [PATCH v2] add stealth mode

[Austin S Hemmelgarn]

On 2015-07-06 15:44, Matteo Croce wrote:
> 2015-07-06 12:49 GMT+02:00  <Valdis.Kletnieks@xxxxxx>:
> > On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said:
> > > Add option to disable any reply not related to a listening socket,
> > > like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
> > > Also disables ICMP replies to echo request and timestamp.
> > > The stealth mode can be enabled selectively for a single interface.
> >
> > A few notes.....
> >
> > 2) You *do* realize that this isn't anywhere near sufficient in order
> > to actually make your machine "invisible", right?  (Hint: What *other*
> > packets can be sent to a machine to provoke a response?)
>
> Other than ICMP, UDP and TCP excluding open TCP/UDP ports?
Just to name a few that I know of off the top of my head:
1. IP packets with any protocol number not supported by your current 
kernel (these return a special ICMP message).
2. SCTP INIT and COOKIE_ECHO chunks when you have SCTP enabled in the 
kernel.
3. Theoretically, some IGMP messages.
4. NDP messages.
5. ARP queries looking for the machine's IP addresses.
6. Certain odd flag combinations on single TCP packets (check the 
documentation for Nmap for more info regarding these), which I believe 
(although I may be reading the code wrong) you aren't accounting for.
7. DAD queries.
8. ICMP address mask queries (which you also don't appear to account for).

This is by no means an exhaustive list, but all of them really should be 
addressed if you want to do this properly.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature