From owner-freebsd-net@FreeBSD.ORG Sat Sep 4 20:29:04 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99E1016A4CE for ; Sat, 4 Sep 2004 20:29:04 +0000 (GMT) Received: from r2d2.bromirski.net (r2d2.bromirski.net [217.153.57.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03A4F43D1D for ; Sat, 4 Sep 2004 20:29:04 +0000 (GMT) (envelope-from lukasz@bromirski.net) Received: from [192.168.0.244] (host-ip141-150.crowley.pl [62.111.150.141]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by r2d2.bromirski.net (Postfix) with ESMTP id A35421089B1 for ; Sat, 4 Sep 2004 22:43:01 +0200 (CEST) Message-ID: <413A258B.5030506@bromirski.net> Date: Sat, 04 Sep 2004 22:28:59 +0200 From: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= User-Agent: Mozilla Thunderbird 0.8 (Windows/20040902) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <20040904093042.B37306@digital-security.org> <20040904175028.GA25772@csh.rit.edu> <413A15DB.5010702@karnaugh.za.net> <20040904135129.L38122@digital-security.org> In-Reply-To: <20040904135129.L38122@digital-security.org> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: fooling nmap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 20:29:04 -0000 vxp wrote: > oh, but it does. it prevents them from gathering accurate information > about your system. that's an extremely important part of the attack. Well, most of the automated trojans seen recently just connect and try to execute some specific code. You won't beat them with turning off timestamps, or selective-acks, or changing default window size for TCP. They won't even notice Your hacks... On the other hand, people that *really* want to get root on Your box, will fingerprinting Your box (if it really matters for them) by means of services running and it's typical role, not by "what TTL does it return? OH, it's 199, I won't even try to get in, as its propably some m4st4 inside...". This whole thing about network stack virtualization and ability to influence Your network stack to the point, where You're able to behave like other OS is very interesting, there's even good book about system fingerprinting and identification coming out by Michal Zalewski[1], but to real-world systems, what's the use of mimicking Linux or Cisco router, when You're running Postfix, Apache, Courier-IMAP, pure-ftpd and SSH on Your box, and the "I want Your disk-space" kid will try his SSH exploits with automated script whatever the fingerprint will be? [1]. http://www.oreilly.com/catalog/1593270461/ -- this space was intentionally left blank | Łukasz Bromirski you can insert your favourite quote here | lukasz:bromirski,net