Slashdot Mirror

← Back to Stories (view on slashdot.org)

OS Fingerprinting in OpenBSD's PF Firewall

Posted by Hemos on from the filtering-it-through dept.

Dan writes "Mike Frantzen has committed "Passive operating system fingerprinting" to PF which exposes the source host's OS to the filter language. The goal of this work is to allow firewalling decisions to take place based not only on the source of a connection, but the operating system of that source. Powerful policy enforcement is now possible such as redirecting all older windows boxes to a web site telling them to upgrade. Or blocking all windows boxes from connecting to mail servers (damn worms). A writeup can be found here. Please help contribute to the OS fingerprint database by going to http://lcamtuf.coredump.cx/p0f-help/ and typing in your OS description if it does not recognize your OS." Sorry - my fault. It is a dupe.

52 comments

  1. DUPLICATE!!!!! by Anonymous Coward · · Score: 1, Redundant

    I mean, c'mon mods, a simple search:
    http://slashdot.org/search.pl?query=openbsd
    would show that this was posted not four days ago:
    http://slashdot.org/article.pl?sid=03/08/22/001023 0


    1. Re:DUPLICATE!!!!! by Anonymous Coward · · Score: 0

      Major dupe. Wish they would check the archives before posting these dupes.

  2. MAJOR DUPE by MBCook · · Score: 1, Offtopic
    OK, this is a dupe of the LAST STORY IN THE BSD SECTION. Come on guys.

    Origonal.

    --
    Comment forecast: Bits of genius surrounded by a sea of mediocrity.
    1. Re:MAJOR DUPE by Anonymous Coward · · Score: 0

      That's odd. I missed that one. It appears in the main section instead of the BSD section -- it's green instead of red. But there's no way a main-section story could attract only 17 posts! Something funny is going on ...

  3. If only... by moof1138 · · Score: 5, Funny

    there was a firewall that sensed and deleted duplicate slashdot stories...

    --

    Hyperbole is the worst thing ever.
    1. Re:If only... by Anonymous Coward · · Score: 0

      Sure, we all know that *BSD is a failure, but why? Why did *BSD fail? Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all know *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personalities?

      The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shroud over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.

    2. Re:If only... by drinkypoo · · Score: 1

      I believe that is a problem to be solved at the site programming level. You are attempting to move many layers away... Or perhaps at the user level (IE, the layer in between keyboard and chair.)

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. So glad... by Anonymous Coward · · Score: 0

    ...this is a dupe. Thought I'd dreamt it, that woulda been freaky. Man, I hate mondays!

  5. Proxies? by sporty · · Score: 4, Interesting

    What about proxies and socks servers? There's prolly more useful things to do w/ this than redirect for content reasons.

    --

    -
    ping -f 255.255.255.255 # if only

  6. Duplicate Stories are Dying by mcgroarty · · Score: 5, Funny
    It is official; Netcraft confirms: Duplicate stories are dying

    One more crippling bombshell hit the already beleaguered Slashdot community when IDC confirmed that duplicate story count has dropped yet again, now down to less than a fraction of 1 percent of all stories. Coming on the heels of a recent Netcraft survey which plainly states that duplicate stories have lost more Slashdot share, this news serves to reinforce what we've known all along. Duplicate stories are collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Slashdot poll.

    You don't need to be a Kreskin to predict duplicate stories' future. The hand writing is on the wall: Duplicate stories face a bleak future. In fact there won't be any future at all for duplicate stories because duplicate stories are dying. Things are looking very bad for duplicate stories. As many of us are already aware, duplicate stories continue to lose article share. Red ink and cancellations flow like a river of blood.

    Slashdot duplicate stories are the most endangered of them all, having lost 93% of its editor acceptances. The sudden and unpleasant departures of long time topics BSD Packet Filters and Ear on the Back of a Mouse only serve to underscore the point more clearly. There can no longer be any doubt: Duplicate stories are dying.

    Let's keep to the facts and look at the numbers.

    Slashdot Admin leader Hemos states that there are 7000 users of Slashdot. How many users of K5 are there? Let's see. The number of Slashdot versus K5 posts is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 K5 users. Duplicate story posts on Slashdot are about half of the volume of K5 posts. Therefore there are about 700 users of K5 submitting dupes. A recent article put Slashdot duplicate stories at about 80 percent of the Slashdot story pool. Therefore there are (7000+1400+700)*4 = 36400 Slashdot users. This is consistent with the number of Slashdot posts.

    Due to the troubles of Ear on a Mouse stories' abysmal duplicate posting rate, duplicate stories are going out of style and will probably be taken over by Natalie Portman trolls who post another type of story. Now duplicate stories are also dead, their corpse turned over to yet another charnel house.

    All major surveys show that duplicate stories have steadily declined in market share. Duplicate stories are very sick and their long term survival prospects are very dim. If duplicate stories are to survive at all it will be among trolling dilettante dabblers. Duplicate stories continue to decay. Nothing short of a miracle could save them at this point in time. For all practical purposes, duplicate stories are dead.

    Fact: Duplicate stories are dying

    1. Re:Duplicate Stories are Dying by Anonymous Coward · · Score: 0

      Sorry, but you misspelled *BSD is dying.

  7. So that's why SCO's website is down by amcnabb · · Score: 2, Funny

    SCO must have stolen this and then set up their website so that Linux people can't get to it.

  8. can't wait 4 this by pauldy · · Score: 1, Insightful

    Yea this is nice. I can't wait to be redirected to the MS site to upgrade the next time I sit down at a mac. I cannot believe they think this will be viable.

    1. Re:can't wait 4 this by thebigmacd · · Score: 2, Interesting

      The whole point of this is that it is OS fingerprinting...I'm sure the MacOS network stack is not the same as any MS OS. as a matter of fact I'm fairly sure the OSX network stack is quite identifiable as a non-MS product.

    2. Re:can't wait 4 this by innosent · · Score: 5, Interesting

      It is viable. After all, how many non-windows machines are infected with Blaster? If you use RPC for something (don't know why anyone would, but...), and don't want Blaster pounding away at your server, you could use the filter to drop all of the packets coming on that port from Windows.

      On a related note, lets say you do a lot of communicating between two servers, or between some remote workstations and a server, but don't allow public access. If there's no legitimate reason why a specific OS would connect to your server, why let it? Hell, just by dropping Windows, you get rid of most of the script kiddies. Maybe drop Linux, if you don't use it, to get rid of the rest of them. Probably very few script kiddies run *BSD. Sure, it's security through obscurity, but most kids will probably just overlook your server, which is a good thing. If they don't know it's there, they probably won't attack it.

      --
      --That's the point of being root, you can do anything you want, even if it's stupid.
    3. Re:can't wait 4 this by Triumph+The+Insult+C · · Score: 0, Flamebait

      "better get your brain examined"

      Name crap software from OpenBSD.

      If it were crap, it would not be in OpenBSD.

      If you've got absolutely no confidence in p0f, then help them gather more information and populate their db if your system isn't detected properly.

      --
      vodka, straight up, thank you!
    4. Re:can't wait 4 this by pauldy · · Score: 1

      Brain examined. Obviously your new to the idea of networking so let me throw you a wrench. Every hear of a proxy? Believe it or not they are still in use. Not everyone gets full NAT at their desktop. There are numerous other examples of wrenches that f this sytem up. Granted for the most part they are the exception not the rule but if people start relying on it to tell others what they need to do before they visit their site then guess what it will cause problems for people. So to recap this isn't the greatest thing since sliced bread to keep people up to date. Nore should it be relied upon as a factual they every system it finds is exactly what it is reported to be.

    5. Re:can't wait 4 this by pauldy · · Score: 1

      But what if your proxy is a win2k box. The packets yoru mac generated never actually see the outside of the network.

    6. Re:can't wait 4 this by pauldy · · Score: 2, Informative

      You make some interesting points on how it could be used in a network that may or may not be usable to some so I guees it is better to have them there than not. I personally was more concerned with the notion presented in the slashdot article that people would use this to redirect people off their websites to upgrade sites based of their fingerprint. As for the religion here to each his or her own. The only thing I would really hate to see is people using this to deny others access based off what is really nothing more than an educated guess as to what is on the other end of that syn.

    7. Re:can't wait 4 this by Triumph+The+Insult+C · · Score: 2, Insightful

      if you have proxies in your network that you're not aware of, don't complain to me about it. meanwhile, if there are network devices on your network that you don't control, that's your problem.

      i am very aware of what proxies are. i manage two.

      if p0f was crap, it would not be in OpenBSD. alas, it is.

      --
      vodka, straight up, thank you!
    8. Re:can't wait 4 this by pauldy · · Score: 1

      It isn't about having proxies you aren't aware of and while your trying to sound knowledgeable your undercoat is showing. Also I don't remember saying it was crap but I do believe that placing in BSD will give people the false impression that this is an exacting technology and the simple fact is that it isn't. If you still feel the need to troll then I suggest you find yourself a mentor who can tell you why this isn't a great idea and were the holes are with it because it is becoming increasingly obvious your not reading what I'm writing.

    9. Re:can't wait 4 this by Triumph+The+Insult+C · · Score: 1

      lol, ok dude. you got me. i'm really a 9 year old /.-reading-theo-obsessed troll.

      maybe you're right. maybe it should be in gnu/linux. then it will known to be crap. maybe sco has ip for that too.

      please, shut the fuck up now.

      --
      vodka, straight up, thank you!
    10. Re:can't wait 4 this by cozman69 · · Score: 1

      BSD is FUCK YOU.

    11. Re:can't wait 4 this by pauldy · · Score: 1

      Such vulgar language, such an inept tone. Maybe you could find it in your heart to read next time and realize it has nothing to do with the platform it is on.

    12. Re:can't wait 4 this by Anonymous Coward · · Score: 0

      It doesn't matter, its the source that it fingerprints. I'm behind dual NAT firewall and it got my OS and SP level correct

    13. Re:can't wait 4 this by drinkypoo · · Score: 1

      If you go to windows update, you are sent to a page for your operating system, but you can get access to updates for other microsoft operating systems from it as well, and just download the files. All this, without even using this technology. Furthermore many sites today will look at your browser type and send you someplace, that includes your OS, and it's just as rude and often causes poor results, but is considered necessary to compensate for changes in layout results between browsers.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  9. Dupe Dupe Dupe by Anonymous Coward · · Score: 0

    Hey I mean, c'mon mods, a simple search would show that this was posted not four days ago.

  10. Re:BSD problems by williewang · · Score: 1
    Without trying to sound patronizing or mean, I think your configuration and/or setup is in terrible form. I've never heard of such problems, actually, so you may well have just had some bad luck--it's not impossible.

    Truthfully, as one who really likes FreeBSD, I use Linux for my laptop with a vmware image of Windows so I can run the applications I need for work. GNU/Linux is just better at that sort of thing because there is more support and people willing to contribute to the code. I also use OpenBSD and Solaris and OSX. It just depends on what you want and what you are looking for.

    As to your question regarding why anyone would choose BSD, ask Yahoo, ask Pair Networks, ask NYInet, or little ol' me--it absolutely screams as a server. Very stable, very secure, and there is a consistent structure to it. There aren't several major, and dozens of smaller, distros. And the different BSDs compliment each other well without animosity, which leads to the next point.

    The culture is much more, well, mature. There aren't too many 15 year olds using *BSD with Bill Gates' face on a dartboard. If xine or quake under wine is working too well, who really cares? It seems to be a user community more interested in making servers work--period. Tux Racer and other stuff is great and not without value, but Yahoo isn't interested in that--and neither are many of us.

    Hope that answers the bulk of your questions.

    --Willie

  11. Dealing with loss by Anonymous Coward · · Score: 0
    While it is true that BSD is dying, there are some helpful steps you can take:
    • deal with the inevitable.
    • grieve for your loss.
    • move on.
    Never let your emotions get tangled up with something as silly as a computer
    operating system. It isn't healthy. So BSD fails. Big whoop. Deal with it and move on.
  12. Re:BSD problems by Census+BSD+User · · Score: 1

    You have been registered.

    --
    Read here about the slashdot
  13. Re:first post by Anonymous Coward · · Score: 0

    It's dead, Jim.

  14. QNX misidentification by Animats · · Score: 1

    It identifies QNX 6.2.1NC as "NetBSD 1.3", from both Voyager and Mozilla browsers. That's not totally surprising; QNX's "big" TCP stack is modelled after BSD, although it's a program running in user space, not part of the kernel.

  15. Developer laments: What Killed FreeBSD by Anonymous Coward · · Score: 0
    The End of FreeBSD

    [Ed. note: in the following text, former FreeBSD developer Mike Smith gives his reasons for abandoning FreeBSD]

    When I stood for election to the FreeBSD core team nearly two years ago, many of you will recall that it was after a long series of debates during which I maintained that too much organisation, too many rules and too much formality would be a bad thing for the project.

    Today, as I read the latest discussions on the future of the FreeBSD project, I see the same problem; a few new faces and many of the old going over the same tired arguments and suggesting variations on the same worthless schemes. Frankly I'm sick of it.

    FreeBSD used to be fun. It used to be about doing things the right way. It used to be something that you could sink your teeth into when the mundane chores of programming for a living got you down. It was something cool and exciting; a way to spend your spare time on an endeavour you loved that was at the same time wholesome and worthwhile.

    It's not anymore. It's about bylaws and committees and reports and milestones, telling others what to do and doing what you're told. It's about who can rant the longest or shout the loudest or mislead the most people into a bloc in order to legitimise doing what they think is best. Individuals notwithstanding, the project as a whole has lost track of where it's going, and has instead become obsessed with process and mechanics.

    So I'm leaving core. I don't want to feel like I should be "doing something" about a project that has lost interest in having something done for it. I don't have the energy to fight what has clearly become a losing battle; I have a life to live and a job to keep, and I won't achieve any of the goals I personally consider worthwhile if I remain obligated to care for the project.

    Discussion

    I'm sure that I've offended some people already; I'm sure that by the time I'm done here, I'll have offended more. If you feel a need to play to the crowd in your replies rather than make a sincere effort to address the problems I'm discussing here, please do us the courtesy of playing your politics openly.

    From a technical perspective, the project faces a set of challenges that significantly outstrips our ability to deliver. Some of the resources that we need to address these challenges are tied up in the fruitless metadiscussions that have raged since we made the mistake of electing officers. Others have left in disgust, or been driven out by the culture of abuse and distraction that has grown up since then. More may well remain available to recruitment, but while the project is busy infighting our chances for successful outreach are sorely diminished.

    There's no simple solution to this. For the project to move forward, one or the other of the warring philosophies must win out; either the project returns to its laid-back roots and gets on with the work, or it transforms into a super-organised engineering project and executes a brilliant plan to deliver what, ultimately, we all know we want.

    Whatever path is chosen, whatever balance is struck, the choosing and the striking are the important parts. The current indecision and endless conflict are incompatible with any sort of progress.

    Trying to dissect the above is far beyond the scope of any parting shot, no matter how distended. All I can really ask of you all is to let go of the minutiae for a moment and take a look at the big picture. What is the ultimate goal here? How can we get there with as little overhead as possible? How would you like to be treated by your fellow travellers?

    Shouts

    To the Slashdot "BSD is dying" crowd - big deal. Death is part of the cycle; take a look at your soft, pallid bodies and consider that right this very moment, parts of you are dying. See? It's not so bad.

    To the bulk of the FreeBSD committerbase and the developer community at large - keep your eyes on the real goals. I