OS Fingerprinting in OpenBSD's PF Firewall

← Back to Stories (view on slashdot.org)

OS Fingerprinting in OpenBSD's PF Firewall

Posted by Hemos on Monday August 25, 2003 @01:04AM from the filtering-it-through dept.

Dan writes "Mike Frantzen has committed "Passive operating system fingerprinting" to PF which exposes the source host's OS to the filter language. The goal of this work is to allow firewalling decisions to take place based not only on the source of a connection, but the operating system of that source. Powerful policy enforcement is now possible such as redirecting all older windows boxes to a web site telling them to upgrade. Or blocking all windows boxes from connecting to mail servers (damn worms). A writeup can be found here. Please help contribute to the OS fingerprint database by going to http://lcamtuf.coredump.cx/p0f-help/ and typing in your OS description if it does not recognize your OS." Sorry - my fault. It is a dupe.

22 of 52 comments (clear)

DUPLICATE!!!!! by Anonymous Coward · 2003-08-25 01:14 · Score: 1, Redundant

I mean, c'mon mods, a simple search:
http://slashdot.org/search.pl?query=openbsd
would show that this was posted not four days ago:
http://slashdot.org/article.pl?sid=03/08/22/001023 0
MAJOR DUPE by MBCook · 2003-08-25 01:16 · Score: 1, Offtopic

OK, this is a dupe of the LAST STORY IN THE BSD SECTION. Come on guys.
Origonal.

--
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
If only... by moof1138 · 2003-08-25 01:18 · Score: 5, Funny

there was a firewall that sensed and deleted duplicate slashdot stories...

--

Hyperbole is the worst thing ever.
1. Re:If only... by drinkypoo · 2003-09-01 14:00 · Score: 1
  
  I believe that is a problem to be solved at the site programming level. You are attempting to move many layers away... Or perhaps at the user level (IE, the layer in between keyboard and chair.)
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Proxies? by sporty · 2003-08-25 01:25 · Score: 4, Interesting

What about proxies and socks servers? There's prolly more useful things to do w/ this than redirect for content reasons.

--
-
ping -f 255.255.255.255 # if only
Duplicate Stories are Dying by mcgroarty · 2003-08-25 01:43 · Score: 5, Funny

It is official; Netcraft confirms: Duplicate stories are dying
One more crippling bombshell hit the already beleaguered Slashdot community when IDC confirmed that duplicate story count has dropped yet again, now down to less than a fraction of 1 percent of all stories. Coming on the heels of a recent Netcraft survey which plainly states that duplicate stories have lost more Slashdot share, this news serves to reinforce what we've known all along. Duplicate stories are collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Slashdot poll.
You don't need to be a Kreskin to predict duplicate stories' future. The hand writing is on the wall: Duplicate stories face a bleak future. In fact there won't be any future at all for duplicate stories because duplicate stories are dying. Things are looking very bad for duplicate stories. As many of us are already aware, duplicate stories continue to lose article share. Red ink and cancellations flow like a river of blood.
Slashdot duplicate stories are the most endangered of them all, having lost 93% of its editor acceptances. The sudden and unpleasant departures of long time topics BSD Packet Filters and Ear on the Back of a Mouse only serve to underscore the point more clearly. There can no longer be any doubt: Duplicate stories are dying.
Let's keep to the facts and look at the numbers.
Slashdot Admin leader Hemos states that there are 7000 users of Slashdot. How many users of K5 are there? Let's see. The number of Slashdot versus K5 posts is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 K5 users. Duplicate story posts on Slashdot are about half of the volume of K5 posts. Therefore there are about 700 users of K5 submitting dupes. A recent article put Slashdot duplicate stories at about 80 percent of the Slashdot story pool. Therefore there are (7000+1400+700)*4 = 36400 Slashdot users. This is consistent with the number of Slashdot posts.
Due to the troubles of Ear on a Mouse stories' abysmal duplicate posting rate, duplicate stories are going out of style and will probably be taken over by Natalie Portman trolls who post another type of story. Now duplicate stories are also dead, their corpse turned over to yet another charnel house.
All major surveys show that duplicate stories have steadily declined in market share. Duplicate stories are very sick and their long term survival prospects are very dim. If duplicate stories are to survive at all it will be among trolling dilettante dabblers. Duplicate stories continue to decay. Nothing short of a miracle could save them at this point in time. For all practical purposes, duplicate stories are dead.
Fact: Duplicate stories are dying
So that's why SCO's website is down by amcnabb · 2003-08-25 01:47 · Score: 2, Funny

SCO must have stolen this and then set up their website so that Linux people can't get to it.
can't wait 4 this by pauldy · 2003-08-25 02:12 · Score: 1, Insightful

Yea this is nice. I can't wait to be redirected to the MS site to upgrade the next time I sit down at a mac. I cannot believe they think this will be viable.
1. Re:can't wait 4 this by thebigmacd · 2003-08-25 02:18 · Score: 2, Interesting
  
  The whole point of this is that it is OS fingerprinting...I'm sure the MacOS network stack is not the same as any MS OS. as a matter of fact I'm fairly sure the OSX network stack is quite identifiable as a non-MS product.
2. Re:can't wait 4 this by innosent · 2003-08-25 02:39 · Score: 5, Interesting
  
  It is viable. After all, how many non-windows machines are infected with Blaster? If you use RPC for something (don't know why anyone would, but...), and don't want Blaster pounding away at your server, you could use the filter to drop all of the packets coming on that port from Windows.
  
  On a related note, lets say you do a lot of communicating between two servers, or between some remote workstations and a server, but don't allow public access. If there's no legitimate reason why a specific OS would connect to your server, why let it? Hell, just by dropping Windows, you get rid of most of the script kiddies. Maybe drop Linux, if you don't use it, to get rid of the rest of them. Probably very few script kiddies run *BSD. Sure, it's security through obscurity, but most kids will probably just overlook your server, which is a good thing. If they don't know it's there, they probably won't attack it.
  
  --
  --That's the point of being root, you can do anything you want, even if it's stupid.
3. Re:can't wait 4 this by pauldy · 2003-08-25 11:06 · Score: 1
  
  Brain examined. Obviously your new to the idea of networking so let me throw you a wrench. Every hear of a proxy? Believe it or not they are still in use. Not everyone gets full NAT at their desktop. There are numerous other examples of wrenches that f this sytem up. Granted for the most part they are the exception not the rule but if people start relying on it to tell others what they need to do before they visit their site then guess what it will cause problems for people. So to recap this isn't the greatest thing since sliced bread to keep people up to date. Nore should it be relied upon as a factual they every system it finds is exactly what it is reported to be.
4. Re:can't wait 4 this by pauldy · 2003-08-25 11:09 · Score: 1
  
  But what if your proxy is a win2k box. The packets yoru mac generated never actually see the outside of the network.
5. Re:can't wait 4 this by pauldy · 2003-08-25 11:14 · Score: 2, Informative
  
  You make some interesting points on how it could be used in a network that may or may not be usable to some so I guees it is better to have them there than not. I personally was more concerned with the notion presented in the slashdot article that people would use this to redirect people off their websites to upgrade sites based of their fingerprint. As for the religion here to each his or her own. The only thing I would really hate to see is people using this to deny others access based off what is really nothing more than an educated guess as to what is on the other end of that syn.
6. Re:can't wait 4 this by Triumph+The+Insult+C · 2003-08-25 17:23 · Score: 2, Insightful
  
  if you have proxies in your network that you're not aware of, don't complain to me about it. meanwhile, if there are network devices on your network that you don't control, that's your problem.
  
  i am very aware of what proxies are. i manage two.
  
  if p0f was crap, it would not be in OpenBSD. alas, it is.
  
  --
  vodka, straight up, thank you!
7. Re:can't wait 4 this by pauldy · 2003-08-26 02:55 · Score: 1
  
  It isn't about having proxies you aren't aware of and while your trying to sound knowledgeable your undercoat is showing. Also I don't remember saying it was crap but I do believe that placing in BSD will give people the false impression that this is an exacting technology and the simple fact is that it isn't. If you still feel the need to troll then I suggest you find yourself a mentor who can tell you why this isn't a great idea and were the holes are with it because it is becoming increasingly obvious your not reading what I'm writing.
8. Re:can't wait 4 this by Triumph+The+Insult+C · 2003-08-26 03:22 · Score: 1
  
  lol, ok dude. you got me. i'm really a 9 year old /.-reading-theo-obsessed troll.
  
  maybe you're right. maybe it should be in gnu/linux. then it will known to be crap. maybe sco has ip for that too.
  
  please, shut the fuck up now.
  
  --
  vodka, straight up, thank you!
9. Re:can't wait 4 this by cozman69 · 2003-08-27 13:43 · Score: 1
  
  BSD is FUCK YOU.
10. Re:can't wait 4 this by pauldy · 2003-08-29 03:44 · Score: 1
  
  Such vulgar language, such an inept tone. Maybe you could find it in your heart to read next time and realize it has nothing to do with the platform it is on.
11. Re:can't wait 4 this by drinkypoo · 2003-09-01 14:04 · Score: 1
  
  If you go to windows update, you are sent to a page for your operating system, but you can get access to updates for other microsoft operating systems from it as well, and just download the files. All this, without even using this technology. Furthermore many sites today will look at your browser type and send you someplace, that includes your OS, and it's just as rude and often causes poor results, but is considered necessary to compensate for changes in layout results between browsers.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Re:BSD problems by williewang · 2003-08-29 05:22 · Score: 1

Without trying to sound patronizing or mean, I think your configuration and/or setup is in terrible form. I've never heard of such problems, actually, so you may well have just had some bad luck--it's not impossible.
Truthfully, as one who really likes FreeBSD, I use Linux for my laptop with a vmware image of Windows so I can run the applications I need for work. GNU/Linux is just better at that sort of thing because there is more support and people willing to contribute to the code. I also use OpenBSD and Solaris and OSX. It just depends on what you want and what you are looking for.
As to your question regarding why anyone would choose BSD, ask Yahoo, ask Pair Networks, ask NYInet, or little ol' me--it absolutely screams as a server. Very stable, very secure, and there is a consistent structure to it. There aren't several major, and dozens of smaller, distros. And the different BSDs compliment each other well without animosity, which leads to the next point.
The culture is much more, well, mature. There aren't too many 15 year olds using *BSD with Bill Gates' face on a dartboard. If xine or quake under wine is working too well, who really cares? It seems to be a user community more interested in making servers work--period. Tux Racer and other stuff is great and not without value, but Yahoo isn't interested in that--and neither are many of us.
Hope that answers the bulk of your questions.
--Willie
Re:BSD problems by Census+BSD+User · 2003-08-30 21:34 · Score: 1

You have been registered.

--
Read here about the slashdot
QNX misidentification by Animats · 2003-08-31 16:17 · Score: 1

It identifies QNX 6.2.1NC as "NetBSD 1.3", from both Voyager and Mozilla browsers. That's not totally surprising; QNX's "big" TCP stack is modelled after BSD, although it's a program running in user space, not part of the kernel.