[NTLUG:Discuss] Code Red Concerns Revisited

Tue Sep 11 05:39:21 CDT 2001

Okay, now it looks like I'm conversing with myself...but I'm not because I'm
just rude enough to ignore myself for being too stupid.

I found this little bit of informaiton floating on http://www.slashdot.org:

Re:Port 80 blocking (Score:3, Informative)
by All Dead Homiez on Monday September 10, @10:32PM (#2276426)
(User #461966 Info)
I'm not sure how widespread it is, but I observed that the way @home blocks
connections to port 80 in my area (western Milwaukee suburbs) is by setting
extra flags on all SYN packets headed to port 80. IIRC, these packets look
like elements of an XMAS scan under tcpdump - many extra flags, such as ACK,
FIN, and URG, are set and the packets are discarded as invalid by the stock
kernel (and rightly so).
What I did to counter this was to make a very quick and dirty patch to my
kernel, which accepted these malformed packets as normal SYN requests. The
result? Web services were back to normal and Apache is chugging away as we
speak. I've been doing this since the ban and have had no problems at all.

Might be something to try...

-all dead homiez


[ Reply to This | Parent ]

Re:Port 80 blocking by All Dead Homiez (Score:3)
Moderation Totals: Informative=1, Total=1.
Re:Port 80 blocking (Score:0)
by Anonymous Coward on Monday September 10, @10:58PM (#2276482)
I had the same experience; this works in New Brunswick too. Here is the
patch I made:

--- tcp_input.c Sun Dec 10 18:49:44 2000
+++ /tmp/tcp_input.c    Mon Sep 3 12:23:45 2001
@@ -2074,7 +2074,7 @@
                /* These use the socket TOS..
                 * might want to be the received TOS
                 */
-               if(th->ack)
+               if(th->ack && !(th->source == 80 && th->fin))
                        return 1;

                if(th->syn) {




