[9751] in bugtraq
Re: Preventing remote OS detection
daemon@ATHENA.MIT.EDU (route@RESENTMENT.INFONEXUS.COM)
Tue Feb 23 14:21:29 1999
Date: Mon, 22 Feb 1999 15:57:49 -0800
Reply-To: route@RESENTMENT.INFONEXUS.COM
From: route@RESENTMENT.INFONEXUS.COM
X-To: info@pgci.ca
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <36D18C0F.1184C638@pgci.ca> from "Patrick Gilbert" at Feb 22,
99 11:55:43 am
[Patrick Gilbert wrote]
|
| There are many other ways to determine the operating system as well,
| most of which are described in a fairly recent phrack article (number 54
| if I am correct)
You are correct. Phrack 54-09. http://www.phrack.com
| How can we mask our operating system from these tcp/ip stack
| fingerprinting tools while still being functional?
|
| The answer can be found in the latest security improvement module at:
|
| http://www.pgci.ca/fingerprint.html
While this article does offer some good advice towards risk mitigation,
there are a few key points I'd like to bring to the table.
The proposed Solaris solution (to change the default MSS to a larger value)
is still easily fingerprintable. Perhaps experimenting with psuedo-random
values within a `safe` threshold would be a bit better, but this too can
be fingerprinted.
The article does mention a few TCP fingerprint techniques, but not TCP
options, many of which are very stack specific.
The article doesn't touch down on the prevention of IP or ICMP related
fingerprinting. There's a probably good reason for this. It's somewhat
difficult and very implementation specific.
Filtering fringe packets will work to dissuade certain fingerprint checks,
others are based off of `normal` packets. For example, ICMP unreachable
packets are often filled with stack specific information. And the Solaris
stack seems to be one of the only ones out there that does path MTU
discovery by default (this is easily noticable by the presense of the DF
bit in the IP header).
The fact of the matter is that most of these fixes are stopgap measures and
not very extensible. The proper fix is standards compliance and ubiquitous
support. Of course the question then becomes which standards do we adhere
to, and what is to be done if there isn't standard defined behavior for
some instance...? That's a good one. I say, close the Internet for
repairs.
--
I live a world of paradox... My willingness to destroy is your chance for
improvement, my hate is your faith -- my failure is your victory, a victory
that won't last.
