mailing list archives
Re: OS Detection Question
From: Fyodor <fyodor () insecure org>
Date: Sun, 7 May 2000 19:23:04 -0700 (PDT)
On Fri, 5 May 2000, Mr. Man wrote:
On Fri, 5 May 2000, Cameron Palmer wrote:
You'll list off your security measures and say we're lying about the OS
type, and how is it your OS masking hasn't introduced a new problem.
What problems might it introduce? So far I've read of none associated
with either the Linux patches, or with dropping packets with odd
combinations of TCP header flags set. This is not like just turning off
all ICMP and watching path MTU discovery break.
Attempting to defeat OS detection could cause all sorts of problems. And
in fact, the current attempts DO cause all sorts of problems. So far, I
have seen two main tools discussed for this purpose:
iplog -z (or --fool-nmap=true) : The man page for iplog
(http://ojnk.sourceforge.net/iplog.8.html) states: "Warning: This
option is dangerous and can set off network traffic storms."
KOSF ( http://www.hit2000.org/kosf/ ): This page says:
"As most of the systems that kosf can fake utilize the so called
64K rule, it gets easier to spoof the sequence number. But then again,
it is probably clear that faking an apple color laserwriter on a high
load computer is not a very good plan, as the printer was not designed
for that... "
One of the main OS detection techniques Nmap uses is to ask the machine
what its capabilities are. If you falsely claim to not have the
capabilities, you could lose important security/efficiency
functionality. If you falsely claim to have these, you could break
normal programs which expect you to back that up.
Other OS tests involve security -- for example TCP sequence prediction
tests and IP.ID prediction (not currently implemented). I think
compromising security features of your OS just to obscure the type/version
number is a bad idea.
And it is of course worth noting that true OS stealthing is basically
unachievable. You may be able to trick nmap with the default arguments,
but skilled attackers may use other tests and can also make inferences
based ont the raw nmap fingerprint.
Clearly, obscuring your OS (even from script kiddies) can have at least
some marginal value. But I certainly wouldn't risk futzing with my kernel
to achieve them.
Others may (and do) see the tradeoff differently and might consider OS
detection spoofing in some circumstances. But it seems that almost
everyone agrees that:
1) Never try to mask a real security vulnerability by pretending you are
using an OS that is not vulnerable. Fix the hole!
2) Make sure you take care of fundamental security issues like closing
unused ports, adding your filtering rules, and applying the latest
patches before worrying about esoteric stuff like OS detection
3) Don't become complacent or any less vigilant about aggressive security
maintenance and monitoring just because you think you have hidden your
Message not available
Re: OS Detection Question Mr. Man (May 04)
Re: OS Detection Question Max (May 04)