Date: Sun, 05 Sep 2004 15:23:47 -0400 From: Chuck Swiger <cswiger@mac.com> To: vxp <vxp@digital-security.org> Cc: freebsd-net@freebsd.org Subject: Re: fooling nmap Message-ID: <413B67C3.1090106@mac.com> In-Reply-To: <20040904135129.L38122@digital-security.org> References: <20040904093042.B37306@digital-security.org> <20040904175028.GA25772@csh.rit.edu> <413A15DB.5010702@karnaugh.za.net> <20040904135129.L38122@digital-security.org>
next in thread | previous in thread | raw e-mail | index | archive | help
vxp wrote: > On Sat, 4 Sep 2004, Colin Alston wrote: >> My point was if it provides no security, then there is no point to it at >> all. > > oh, but it does. it prevents them from gathering accurate information > about your system. that's an extremely important part of the attack. From your perspective, certainly, but you aren't a computer worm or virus. The overwhelming majority of worms and viruses launch their attacks by sweeping ranges of IP space-- generally starting on the local subnet, then scanning in a more-or-less random fashion from there. They don't care what your TCP stack looks like to nmap. They don't care what OS is running at that IP address. Frankly, worms don't even care much whether the TCP or UDP port they are trying to use is even open, they'll just move on to the next IP. >> Most attackers are going to exploit things at a service level >> anyway. What is the point of changing the fingerprint? > > ok, say your apache is vulnerable to whatever. an exploit for that apache > under linux is one thing, under freebsd is another, under windows another, > etc. the 'service level' won't work, if you got the OS wrong. If your protection depends upon the attacking guessing the OS wrong, you're screwed. The worm which assumes all machines have a cmd.com won't get through, you're right, but that doesn't mean that a worm which assumes all machines are FreeBSD machines is going to leave your IP alone just because you pretend otherwise. > there's very very few cross-platform vulnerabilities that share the _same_ > exploit code on _all_ platforms. actually, there's not a 'few'. there's > none. You're either not looking, or you don't understand what you see. Google for "Perl vulnerabilities" or "SQL injection". -- -Chuck PS: Not trying to give you a hard time. If you think you can make changes to src/sys/netinet/tcp_input.c and tcp_output.c which give you OS concealment, and make the existing code smaller or better, by all means, I'd be happy to take a look at those changes, and recommend them to others.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?413B67C3.1090106>