From owner-freebsd-security  Fri Mar 29 13:21:55 2002
Delivered-To: freebsd-security@freebsd.org
Received: from vapour.net (vapour.net [198.96.117.180])
	by hub.freebsd.org (Postfix) with ESMTP id 547F237B405
	for <freebsd-security@FreeBSD.ORG>; Fri, 29 Mar 2002 13:21:48 -0800 (PST)
Received: from vapour.net (vapour.net [198.96.117.180])
	by vapour.net (8.11.6/8.11.6) with ESMTP id g2TLE4C04276;
	Fri, 29 Mar 2002 16:14:04 -0500 (EST)
	(envelope-from batsy@vapour.net)
Date: Fri, 29 Mar 2002 16:14:04 -0500 (EST)
From: batz <batsy@vapour.net>
To: Kris Kennaway <kris@obsecurity.org>
Cc: Moti Levy <moti@flncs.com>, freebsd-security@FreeBSD.ORG
Subject: Re: How can I erase my fingertips .
In-Reply-To: <20020328182824.B25543@xor.obsecurity.org>
Message-ID: <Pine.BSF.4.21.0203291606380.401-100000@vapour.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, 28 Mar 2002, Kris Kennaway wrote:

:You might be able to fool (the current version of) nmap, but it's
:impossible to remove the characteristic features which allow one to
:distinguish between one IP stack and another.

Actually, I remember when I was doing intrusion tests against sites
with sidewinder, it seemed to shuffle its responses so that we would
get different fingerprints. I never verified whether this was a sidewinder
feature, or because there was a traffic director in front of it, but
it is a part of intrusion testing lore anyway. 

Also, because these fingerprints are specific signatures, and because
nmap can also be fingerprinted, one could simply write an equivalent
to fakeroute, which would listen for nmap OS scans, and jumble the 
responses. I realize this doesn't mean altering the stack tho. 

Funny, the security through obscurity (there needs to be a short form for
that) strategy never works, but improved security through adequate obfuscation
is often reasonable, while only just a few notches down the continuum. :) 




--
batz


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message