Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Operating Systems BSD

OS Fingerprinting in OpenBSD's PF Firewall 52

Dan writes "Mike Frantzen has committed "Passive operating system fingerprinting" to PF which exposes the source host's OS to the filter language. The goal of this work is to allow firewalling decisions to take place based not only on the source of a connection, but the operating system of that source. Powerful policy enforcement is now possible such as redirecting all older windows boxes to a web site telling them to upgrade. Or blocking all windows boxes from connecting to mail servers (damn worms). A writeup can be found here. Please help contribute to the OS fingerprint database by going to http://lcamtuf.coredump.cx/p0f-help/ and typing in your OS description if it does not recognize your OS." Sorry - my fault. It is a dupe.
This discussion has been archived. No new comments can be posted.

OS Fingerprinting in OpenBSD's PF Firewall

Comments Filter:
  • DUPLICATE!!!!! (Score:1, Redundant)

    by Anonymous Coward

    I mean, c'mon mods, a simple search:
    would show that this was posted not four days ago:


  • MAJOR DUPE (Score:2, Offtopic)

    by MBCook ( 132727 )
    OK, this is a dupe of the LAST STORY IN THE BSD SECTION. Come on guys.

    Origonal [slashdot.org].

  • If only... (Score:5, Funny)

    by moof1138 ( 215921 ) on Monday August 25, 2003 @08:18AM (#6783311)
    there was a firewall that sensed and deleted duplicate slashdot stories...
    • I believe that is a problem to be solved at the site programming level. You are attempting to move many layers away... Or perhaps at the user level (IE, the layer in between keyboard and chair.)
  • Proxies? (Score:5, Interesting)

    by sporty ( 27564 ) on Monday August 25, 2003 @08:25AM (#6783357) Homepage
    What about proxies and socks servers? There's prolly more useful things to do w/ this than redirect for content reasons.
  • It is official; Netcraft confirms: Duplicate stories are dying

    One more crippling bombshell hit the already beleaguered Slashdot community when IDC confirmed that duplicate story count has dropped yet again, now down to less than a fraction of 1 percent of all stories. Coming on the heels of a recent Netcraft survey which plainly states that duplicate stories have lost more Slashdot share, this news serves to reinforce what we've known all along. Duplicate stories are collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Slashdot poll.

    You don't need to be a Kreskin to predict duplicate stories' future. The hand writing is on the wall: Duplicate stories face a bleak future. In fact there won't be any future at all for duplicate stories because duplicate stories are dying. Things are looking very bad for duplicate stories. As many of us are already aware, duplicate stories continue to lose article share. Red ink and cancellations flow like a river of blood.

    Slashdot duplicate stories are the most endangered of them all, having lost 93% of its editor acceptances. The sudden and unpleasant departures of long time topics BSD Packet Filters and Ear on the Back of a Mouse only serve to underscore the point more clearly. There can no longer be any doubt: Duplicate stories are dying.

    Let's keep to the facts and look at the numbers.

    Slashdot Admin leader Hemos states that there are 7000 users of Slashdot. How many users of K5 are there? Let's see. The number of Slashdot versus K5 posts is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 K5 users. Duplicate story posts on Slashdot are about half of the volume of K5 posts. Therefore there are about 700 users of K5 submitting dupes. A recent article put Slashdot duplicate stories at about 80 percent of the Slashdot story pool. Therefore there are (7000+1400+700)*4 = 36400 Slashdot users. This is consistent with the number of Slashdot posts.

    Due to the troubles of Ear on a Mouse stories' abysmal duplicate posting rate, duplicate stories are going out of style and will probably be taken over by Natalie Portman trolls who post another type of story. Now duplicate stories are also dead, their corpse turned over to yet another charnel house.

    All major surveys show that duplicate stories have steadily declined in market share. Duplicate stories are very sick and their long term survival prospects are very dim. If duplicate stories are to survive at all it will be among trolling dilettante dabblers. Duplicate stories continue to decay. Nothing short of a miracle could save them at this point in time. For all practical purposes, duplicate stories are dead.

    Fact: Duplicate stories are dying

  • SCO must have stolen this and then set up their website so that Linux people can't get to it.
  • can't wait 4 this (Score:1, Insightful)

    by pauldy ( 100083 )
    Yea this is nice. I can't wait to be redirected to the MS site to upgrade the next time I sit down at a mac. I cannot believe they think this will be viable.
    • The whole point of this is that it is OS fingerprinting...I'm sure the MacOS network stack is not the same as any MS OS. as a matter of fact I'm fairly sure the OSX network stack is quite identifiable as a non-MS product.
    • Re:can't wait 4 this (Score:5, Interesting)

      by innosent ( 618233 ) <jmdority.gmail@com> on Monday August 25, 2003 @09:39AM (#6783930)
      It is viable. After all, how many non-windows machines are infected with Blaster? If you use RPC for something (don't know why anyone would, but...), and don't want Blaster pounding away at your server, you could use the filter to drop all of the packets coming on that port from Windows.

      On a related note, lets say you do a lot of communicating between two servers, or between some remote workstations and a server, but don't allow public access. If there's no legitimate reason why a specific OS would connect to your server, why let it? Hell, just by dropping Windows, you get rid of most of the script kiddies. Maybe drop Linux, if you don't use it, to get rid of the rest of them. Probably very few script kiddies run *BSD. Sure, it's security through obscurity, but most kids will probably just overlook your server, which is a good thing. If they don't know it's there, they probably won't attack it.
      • Re:can't wait 4 this (Score:3, Informative)

        by pauldy ( 100083 )
        You make some interesting points on how it could be used in a network that may or may not be usable to some so I guees it is better to have them there than not. I personally was more concerned with the notion presented in the slashdot article that people would use this to redirect people off their websites to upgrade sites based of their fingerprint. As for the religion here to each his or her own. The only thing I would really hate to see is people using this to deny others access based off what is real
        • If you go to windows update, you are sent to a page for your operating system, but you can get access to updates for other microsoft operating systems from it as well, and just download the files. All this, without even using this technology. Furthermore many sites today will look at your browser type and send you someplace, that includes your OS, and it's just as rude and often causes poor results, but is considered necessary to compensate for changes in layout results between browsers.
  • It identifies QNX 6.2.1NC as "NetBSD 1.3", from both Voyager and Mozilla browsers. That's not totally surprising; QNX's "big" TCP stack is modelled after BSD, although it's a program running in user space, not part of the kernel.

The world will end in 5 minutes. Please log out.

Working...