From owner-freebsd-net@FreeBSD.ORG Sun Sep 5 02:05:31 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3A5E16A4CE for ; Sun, 5 Sep 2004 02:05:31 +0000 (GMT) Received: from e028121.vtacs.vt.edu (e028121.vtacs.vt.edu [63.164.28.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D35043D1F for ; Sun, 5 Sep 2004 02:05:31 +0000 (GMT) (envelope-from gaylord@dirtcheapemail.com) Received: from [127.0.0.1] (localhost [127.0.0.1]) by e028121.vtacs.vt.edu (Postfix) with ESMTP id BB9EF11418; Sat, 4 Sep 2004 22:05:26 -0400 (EDT) Message-ID: <413A7464.4090204@dirtcheapemail.com> Date: Sat, 04 Sep 2004 22:05:24 -0400 From: Clark Gaylord User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.1) Gecko/20040707 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Barney Wolff References: <20040904093042.B37306@digital-security.org> <20040904175028.GA25772@csh.rit.edu> <20040904132345.A38065@digital-security.org> <20040905005019.GA72836@pit.databus.com> In-Reply-To: <20040905005019.GA72836@pit.databus.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: Wesley Shields cc: Colin Alston cc: vxp Subject: Re: fooling nmap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Sep 2004 02:05:31 -0000 Barney Wolff wrote: > On Sat, Sep 04, 2004 at 01:28:28PM -0400, vxp wrote: >>in other words, what would you guys say be a _proper_ bsd-style thing to >>do, if this were to be done? > > Nothing. If you want to pollute your kernel with nonsense of this > sort, go right ahead, but leave mine alone. Adding frills detracts > from security, even when they're only enabled by compile-time > switches. The netinet code is already a challenge to follow or > keep in mind all at once. Anything that makes the problem worse > without a really big payoff is insane. I very much concur with Barney's sentiment, but I would also point out that our decisions for various sysctl settings should be based on sound network engineering practices. If we mimic some OS by trying to replicate something stupid that it does, then we've compromised sound network engineering. It reeks of the "deny ICMP" stupidity you so often see in firewall configs. OTOH, I think understanding why different OSes fingerprint differently is an extremely interesting pursuit, and good studies describing the many different strategies are fascinating if done well (not just the usual "this OS has its head up its ass" commentary, but really delve in to see "oh *that's* why they do that"). This "comparative literature" approach could build consensus for what the "right" approaches are and understanding of the reasonable alternatives. It may be that more consensus in approach would change the viability of fingerprinting anyway, and then for good reasons. --ckg