Slashdot Mirror
OS Fingerprinting in OpenBSD's PF Firewall
Dan writes "Mike Frantzen has committed "Passive operating system fingerprinting" to PF which exposes the source host's OS to the filter language. The goal of this work is to allow firewalling decisions to take place based not only on the source of a connection, but the operating system of that source. Powerful policy enforcement is now possible such as redirecting all older windows boxes to a web site telling them to upgrade. Or blocking all windows boxes from connecting to mail servers (damn worms). A writeup can be found here. Please help contribute to the OS fingerprint database by going to http://lcamtuf.coredump.cx/p0f-help/ and typing in your OS description if it does not recognize your OS." Sorry - my fault. It is a dupe.
there was a firewall that sensed and deleted duplicate slashdot stories...
Hyperbole is the worst thing ever.
What about proxies and socks servers? There's prolly more useful things to do w/ this than redirect for content reasons.
-
ping -f 255.255.255.255 # if only
One more crippling bombshell hit the already beleaguered Slashdot community when IDC confirmed that duplicate story count has dropped yet again, now down to less than a fraction of 1 percent of all stories. Coming on the heels of a recent Netcraft survey which plainly states that duplicate stories have lost more Slashdot share, this news serves to reinforce what we've known all along. Duplicate stories are collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Slashdot poll.
You don't need to be a Kreskin to predict duplicate stories' future. The hand writing is on the wall: Duplicate stories face a bleak future. In fact there won't be any future at all for duplicate stories because duplicate stories are dying. Things are looking very bad for duplicate stories. As many of us are already aware, duplicate stories continue to lose article share. Red ink and cancellations flow like a river of blood.
Slashdot duplicate stories are the most endangered of them all, having lost 93% of its editor acceptances. The sudden and unpleasant departures of long time topics BSD Packet Filters and Ear on the Back of a Mouse only serve to underscore the point more clearly. There can no longer be any doubt: Duplicate stories are dying.
Let's keep to the facts and look at the numbers.
Slashdot Admin leader Hemos states that there are 7000 users of Slashdot. How many users of K5 are there? Let's see. The number of Slashdot versus K5 posts is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 K5 users. Duplicate story posts on Slashdot are about half of the volume of K5 posts. Therefore there are about 700 users of K5 submitting dupes. A recent article put Slashdot duplicate stories at about 80 percent of the Slashdot story pool. Therefore there are (7000+1400+700)*4 = 36400 Slashdot users. This is consistent with the number of Slashdot posts.
Due to the troubles of Ear on a Mouse stories' abysmal duplicate posting rate, duplicate stories are going out of style and will probably be taken over by Natalie Portman trolls who post another type of story. Now duplicate stories are also dead, their corpse turned over to yet another charnel house.
All major surveys show that duplicate stories have steadily declined in market share. Duplicate stories are very sick and their long term survival prospects are very dim. If duplicate stories are to survive at all it will be among trolling dilettante dabblers. Duplicate stories continue to decay. Nothing short of a miracle could save them at this point in time. For all practical purposes, duplicate stories are dead.
Fact: Duplicate stories are dying
SCO must have stolen this and then set up their website so that Linux people can't get to it.
The whole point of this is that it is OS fingerprinting...I'm sure the MacOS network stack is not the same as any MS OS. as a matter of fact I'm fairly sure the OSX network stack is quite identifiable as a non-MS product.
It is viable. After all, how many non-windows machines are infected with Blaster? If you use RPC for something (don't know why anyone would, but...), and don't want Blaster pounding away at your server, you could use the filter to drop all of the packets coming on that port from Windows.
On a related note, lets say you do a lot of communicating between two servers, or between some remote workstations and a server, but don't allow public access. If there's no legitimate reason why a specific OS would connect to your server, why let it? Hell, just by dropping Windows, you get rid of most of the script kiddies. Maybe drop Linux, if you don't use it, to get rid of the rest of them. Probably very few script kiddies run *BSD. Sure, it's security through obscurity, but most kids will probably just overlook your server, which is a good thing. If they don't know it's there, they probably won't attack it.
--That's the point of being root, you can do anything you want, even if it's stupid.
You make some interesting points on how it could be used in a network that may or may not be usable to some so I guees it is better to have them there than not. I personally was more concerned with the notion presented in the slashdot article that people would use this to redirect people off their websites to upgrade sites based of their fingerprint. As for the religion here to each his or her own. The only thing I would really hate to see is people using this to deny others access based off what is really nothing more than an educated guess as to what is on the other end of that syn.
if you have proxies in your network that you're not aware of, don't complain to me about it. meanwhile, if there are network devices on your network that you don't control, that's your problem.
i am very aware of what proxies are. i manage two.
if p0f was crap, it would not be in OpenBSD. alas, it is.
vodka, straight up, thank you!