[16739] in bugtraq
Re: The DF Bit Playground (Identifying Sun Solaris & OpenBSD OSs)
daemon@ATHENA.MIT.EDU (Jason Axley)
Wed Sep 13 12:16:28 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.SOL.4.02.10009130820100.1385-100000@nofud.nwest.attws.com>
Date: Wed, 13 Sep 2000 08:29:42 -0700
Reply-To: Jason Axley <jason.axley@ATTWS.COM>
From: Jason Axley <jason.axley@ATTWS.COM>
X-To: "Walsh, Andrew" <Andrew_Walsh@ASC.AON.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <86256958.007BE30A.00@usmtacst02.aon.com>
As I've pointed out before, these do not stop all UNIcast
requests--mainly broadcast, as noted by the names of the parameters:
there is an ip_respond_to_address_mask_broadcast but _not_ an
ip_respond_to_address_mask parameter. So, you're stuck with allowing
these requests (although a liberal sprinkling of IPfilter could probably
take care of this).
gak@somehost:/home/gak/SING:30> sudo ndd -get /dev/ip
ip_respond_to_address_mask_broadcast
0
gak@somehost:/home/gak/SING:30> sudo ./sing -mask somehost
SINGing to somehost (172.16.32.93): 12 data bytes
12 bytes from 172.16.32.93: icmp_seq=0 ttl=255 mask=255.255.254.0
12 bytes from 172.16.32.93: icmp_seq=1 ttl=255 mask=255.255.254.0
^C
--- nofud sing statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
-Jason
On Tue, 12 Sep 2000, Walsh, Andrew wrote:
> Date: Tue, 12 Sep 2000 17:32:59 -0500
> From: "Walsh, Andrew" <Andrew_Walsh@ASC.AON.COM>
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Re: [BUGTRAQ] The DF Bit Playground (Identifying Sun Solaris &
OpenBSD OSs)
>
> > Since Sun Solaris answer for an ICMP address mask request and OpenBSD does
> > not, we can distinguish between those operating systems as well (they both
> > answer for ICMP Timestamp request).
> >
> > This is a simple operating system fingerprinting method, which does not
> > require additional and unusual patterns to be set.
>
> You can disable both ICMP address mask request and ICMP Timestamp (broadcast and
> unicast) under Solaris with ndd. The commands are:
>
> ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
> ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
> ndd -set /dev/ip ip_respond_to_timestamp 0
>
> These are recommended by Sun (along with other fun ndd commands) in their
> "Solaris Operating Environment Network Settings for Security By Alex
> Noordergraaf and Keith Watson", a Sun Blueprint available at
> http://www.sun.com/blueprints.
>
> Andrew Walsh
>
> "My thoughts are my own, not my companies"
>
--
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
