On Fri, 28 Jan 2005 18:47:55 +0100
Lorenzo Hernández García-Hierro <lorenzo@xxxxxxx> wrote:
> El vie, 28-01-2005 a las 18:40 +0100, Adrian Bunk escribió:
> > On Fri, Jan 28, 2005 at 06:17:17PM +0100, Lorenzo Hernández García-Hierro
> > wrote:
> > >...
> > > As it's impact is minimal (in performance and development/maintenance
> > > terms), I recommend to merge it, as it gives a basic prevention for the
> > > so-called system fingerprinting (which is used most by "kids" to know
> > > how old and insecure could be a target system, many time used as the
> > > first, even only-one, data to decide if attack or not the target host)
> > > among other things.
> > >...
> >
> > "basic prevention"?
> > I hardly see how this patch makes OS fingerprinting by e.g. Nmap
> > impossible.
>
> That's an example, as you can find at the grsecurity handbook [1]:
>
> "The default Linux TCP/IP-stack has some properties that make it more
> vulnerable to prediction-based hacks. By randomizing several items,
> predicting the behaviour will be a lot more difficult."
No it just changes the fingerprint table. "Hmm, this looks like a
newer generation system, must be OpenBSD or Linux".
> "Randomized IP IDs hinders OS fingerprinting and will keep your machine
> from being a bounce for an untraceable portscan."
>
> References:
> [1]: http://www.gentoo.org/proj/en/hardened/grsecurity.xml
This is a very transitory effect, it works only because your machine
is then different from the typical Linux machine; therefore the scanner
will go on to the next obvious ones. But if this gets incorporated widely
then the rarity factor goes away and this defense becomes useless.
--
Stephen Hemminger <shemminger@xxxxxxxx>
|