There is this new revelation http://www.heise.de/ct/artikel/NSA-GCHQ-The-HACIENDA-Program-for-Internet-Colonization-2292681.html that NSA/GCHQ and others are massively using port scans to overtake thousands of vulnerable servers, in order to use them as base points to start their attacks. The article above proposes a kernel patch against this which can minimize attack surfaces a bit. This patch can be downloaded here: https://gnunet.org/knock The patch was announced at Gnu Hackers conference today https://www.gnu.org/ghm/upcoming.html I think it should be included in gentoo kernels. Reproducible: Always
I guess it is not a vulnerability, CC'ing kernel@
This was not well received upstream including the possibility of opening new security holes. I would like to see this discussion go in a way different direction before we could consider it for inclusion.