OS Fingerprinting in OpenBSD's PF Firewall

Dan writes "Mike Frantzen has committed "Passive operating system fingerprinting" to PF which exposes the source host's OS to the filter language. The goal of this work is to allow firewalling decisions to take place based not only on the source of a connection, but the operating system of that source. Powerful policy enforcement is now possible such as redirecting all older windows boxes to a web site telling them to upgrade. Or blocking all windows boxes from connecting to mail servers (damn worms). A writeup can be found here. Please help contribute to the OS fingerprint database by going to http://lcamtuf.coredump.cx/p0f-help/ and typing in your OS description if it does not recognize your OS." Sorry - my fault. It is a dupe.

DUPLICATE!!!!!

[Anonymous Coward]

I mean, c'mon mods, a simple search:

http://slashdot.org/search.pl?query=openbsd [slashdot.org]

would show that this was posted not four days ago:

http://slashdot.org/article.pl?sid=03/08/22/001023 0 [slashdot.org]

MAJOR DUPE

[MBCook]

OK, this is a dupe of the LAST STORY IN THE BSD SECTION. Come on guys.

Origonal [slashdot.org].

If only...

[moof1138]

there was a firewall that sensed and deleted duplicate slashdot stories...

Re:If only...

[drinkypoo]

I believe that is a problem to be solved at the site programming level. You are attempting to move many layers away... Or perhaps at the user level (IE, the layer in between keyboard and chair.)

Proxies?

[sporty]

What about proxies and socks servers? There's prolly more useful things to do w/ this than redirect for content reasons.

Duplicate Stories are Dying

[mcgroarty]

It is official; Netcraft confirms: Duplicate stories are dying

One more crippling bombshell hit the already beleaguered Slashdot community when IDC confirmed that duplicate story count has dropped yet again, now down to less than a fraction of 1 percent of all stories. Coming on the heels of a recent Netcraft survey which plainly states that duplicate stories have lost more Slashdot share, this news serves to reinforce what we've known all along. Duplicate stories are collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Slashdot poll.

You don't need to be a Kreskin to predict duplicate stories' future. The hand writing is on the wall: Duplicate stories face a bleak future. In fact there won't be any future at all for duplicate stories because duplicate stories are dying. Things are looking very bad for duplicate stories. As many of us are already aware, duplicate stories continue to lose article share. Red ink and cancellations flow like a river of blood.

Slashdot duplicate stories are the most endangered of them all, having lost 93% of its editor acceptances. The sudden and unpleasant departures of long time topics BSD Packet Filters and Ear on the Back of a Mouse only serve to underscore the point more clearly. There can no longer be any doubt: Duplicate stories are dying.

Let's keep to the facts and look at the numbers.

Slashdot Admin leader Hemos states that there are 7000 users of Slashdot. How many users of K5 are there? Let's see. The number of Slashdot versus K5 posts is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 K5 users. Duplicate story posts on Slashdot are about half of the volume of K5 posts. Therefore there are about 700 users of K5 submitting dupes. A recent article put Slashdot duplicate stories at about 80 percent of the Slashdot story pool. Therefore there are (7000+1400+700)*4 = 36400 Slashdot users. This is consistent with the number of Slashdot posts.

Due to the troubles of Ear on a Mouse stories' abysmal duplicate posting rate, duplicate stories are going out of style and will probably be taken over by Natalie Portman trolls who post another type of story. Now duplicate stories are also dead, their corpse turned over to yet another charnel house.

All major surveys show that duplicate stories have steadily declined in market share. Duplicate stories are very sick and their long term survival prospects are very dim. If duplicate stories are to survive at all it will be among trolling dilettante dabblers. Duplicate stories continue to decay. Nothing short of a miracle could save them at this point in time. For all practical purposes, duplicate stories are dead.

Fact: Duplicate stories are dying

So that's why SCO's website is down

[amcnabb]

SCO must have stolen this and then set up their website so that Linux people can't get to it.

can't wait 4 this

[pauldy]

Yea this is nice. I can't wait to be redirected to the MS site to upgrade the next time I sit down at a mac. I cannot believe they think this will be viable.

Re:can't wait 4 this

[thebigmacd]

The whole point of this is that it is OS fingerprinting...I'm sure the MacOS network stack is not the same as any MS OS. as a matter of fact I'm fairly sure the OSX network stack is quite identifiable as a non-MS product.

Re:can't wait 4 this

[pauldy]

But what if your proxy is a win2k box. The packets yoru mac generated never actually see the outside of the network.

Re:can't wait 4 this

[cozman69]

BSD is FUCK YOU.

Re:can't wait 4 this

[innosent]

It is viable. After all, how many non-windows machines are infected with Blaster? If you use RPC for something (don't know why anyone would, but...), and don't want Blaster pounding away at your server, you could use the filter to drop all of the packets coming on that port from Windows.

On a related note, lets say you do a lot of communicating between two servers, or between some remote workstations and a server, but don't allow public access. If there's no legitimate reason why a specific OS would connect to your server, why let it? Hell, just by dropping Windows, you get rid of most of the script kiddies. Maybe drop Linux, if you don't use it, to get rid of the rest of them. Probably very few script kiddies run *BSD. Sure, it's security through obscurity, but most kids will probably just overlook your server, which is a good thing. If they don't know it's there, they probably won't attack it.

Re:can't wait 4 this

[pauldy]

You make some interesting points on how it could be used in a network that may or may not be usable to some so I guees it is better to have them there than not. I personally was more concerned with the notion presented in the slashdot article that people would use this to redirect people off their websites to upgrade sites based of their fingerprint. As for the religion here to each his or her own. The only thing I would really hate to see is people using this to deny others access based off what is real

Re:can't wait 4 this

[drinkypoo]

If you go to windows update, you are sent to a page for your operating system, but you can get access to updates for other microsoft operating systems from it as well, and just download the files. All this, without even using this technology. Furthermore many sites today will look at your browser type and send you someplace, that includes your OS, and it's just as rude and often causes poor results, but is considered necessary to compensate for changes in layout results between browsers.

Re:can't wait 4 this

[pauldy]

Brain examined. Obviously your new to the idea of networking so let me throw you a wrench. Every hear of a proxy? Believe it or not they are still in use. Not everyone gets full NAT at their desktop. There are numerous other examples of wrenches that f this sytem up. Granted for the most part they are the exception not the rule but if people start relying on it to tell others what they need to do before they visit their site then guess what it will cause problems for people. So to recap this isn't th

Re:can't wait 4 this

[Triumph The Insult C]

if you have proxies in your network that you're not aware of, don't complain to me about it. meanwhile, if there are network devices on your network that you don't control, that's your problem.

i am very aware of what proxies are. i manage two.

if p0f was crap, it would not be in OpenBSD. alas, it is.

Re:can't wait 4 this

[pauldy]

It isn't about having proxies you aren't aware of and while your trying to sound knowledgeable your undercoat is showing. Also I don't remember saying it was crap but I do believe that placing in BSD will give people the false impression that this is an exacting technology and the simple fact is that it isn't. If you still feel the need to troll then I suggest you find yourself a mentor who can tell you why this isn't a great idea and were the holes are with it because it is becoming increasingly obvious

Re:can't wait 4 this

[Triumph The Insult C]

lol, ok dude. you got me. i'm really a 9 year old /.-reading-theo-obsessed troll.

maybe you're right. maybe it should be in gnu/linux. then it will known to be crap. maybe sco has ip for that too.

please, shut the fuck up now.

Re:can't wait 4 this

[pauldy]

Such vulgar language, such an inept tone. Maybe you could find it in your heart to read next time and realize it has nothing to do with the platform it is on.

Re:BSD problems

[williewang]

Without trying to sound patronizing or mean, I think your configuration and/or setup is in terrible form. I've never heard of such problems, actually, so you may well have just had some bad luck--it's not impossible.

Truthfully, as one who really likes FreeBSD, I use Linux for my laptop with a vmware image of Windows so I can run the applications I need for work. GNU/Linux is just better at that sort of thing because there is more support and people willing to contribute to the code. I also use OpenBSD a

Re:BSD problems

[Census BSD User]

You have been registered.

QNX misidentification

[Animats]

It identifies QNX 6.2.1NC as "NetBSD 1.3", from both Voyager and Mozilla browsers. That's not totally surprising; QNX's "big" TCP stack is modelled after BSD, although it's a program running in user space, not part of the kernel.