From owner-freebsd-net@FreeBSD.ORG Sun Sep 5 19:24:10 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CDC716A4CE for ; Sun, 5 Sep 2004 19:24:10 +0000 (GMT) Received: from out009.verizon.net (out009pub.verizon.net [206.46.170.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE4D443D3F for ; Sun, 5 Sep 2004 19:24:09 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] ([68.160.193.218]) by out009.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040905192409.SSQV23440.out009.verizon.net@[192.168.1.3]>; Sun, 5 Sep 2004 14:24:09 -0500 Message-ID: <413B67C3.1090106@mac.com> Date: Sun, 05 Sep 2004 15:23:47 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 X-Accept-Language: en-us, en MIME-Version: 1.0 To: vxp References: <20040904093042.B37306@digital-security.org> <20040904175028.GA25772@csh.rit.edu> <413A15DB.5010702@karnaugh.za.net> <20040904135129.L38122@digital-security.org> In-Reply-To: <20040904135129.L38122@digital-security.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out009.verizon.net from [68.160.193.218] at Sun, 5 Sep 2004 14:24:08 -0500 cc: freebsd-net@freebsd.org Subject: Re: fooling nmap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Sep 2004 19:24:10 -0000 vxp wrote: > On Sat, 4 Sep 2004, Colin Alston wrote: >> My point was if it provides no security, then there is no point to it at >> all. > > oh, but it does. it prevents them from gathering accurate information > about your system. that's an extremely important part of the attack. From your perspective, certainly, but you aren't a computer worm or virus. The overwhelming majority of worms and viruses launch their attacks by sweeping ranges of IP space-- generally starting on the local subnet, then scanning in a more-or-less random fashion from there. They don't care what your TCP stack looks like to nmap. They don't care what OS is running at that IP address. Frankly, worms don't even care much whether the TCP or UDP port they are trying to use is even open, they'll just move on to the next IP. >> Most attackers are going to exploit things at a service level >> anyway. What is the point of changing the fingerprint? > > ok, say your apache is vulnerable to whatever. an exploit for that apache > under linux is one thing, under freebsd is another, under windows another, > etc. the 'service level' won't work, if you got the OS wrong. If your protection depends upon the attacking guessing the OS wrong, you're screwed. The worm which assumes all machines have a cmd.com won't get through, you're right, but that doesn't mean that a worm which assumes all machines are FreeBSD machines is going to leave your IP alone just because you pretend otherwise. > there's very very few cross-platform vulnerabilities that share the _same_ > exploit code on _all_ platforms. actually, there's not a 'few'. there's > none. You're either not looking, or you don't understand what you see. Google for "Perl vulnerabilities" or "SQL injection". -- -Chuck PS: Not trying to give you a hard time. If you think you can make changes to src/sys/netinet/tcp_input.c and tcp_output.c which give you OS concealment, and make the existing code smaller or better, by all means, I'd be happy to take a look at those changes, and recommend them to others.