fooling nmap
Clark Gaylord
gaylord at dirtcheapemail.com
Sat Sep 4 19:05:31 PDT 2004
Barney Wolff wrote:
> On Sat, Sep 04, 2004 at 01:28:28PM -0400, vxp wrote:
>>in other words, what would you guys say be a _proper_ bsd-style thing to
>>do, if this were to be done?
>
> Nothing. If you want to pollute your kernel with nonsense of this
> sort, go right ahead, but leave mine alone. Adding frills detracts
> from security, even when they're only enabled by compile-time
> switches. The netinet code is already a challenge to follow or
> keep in mind all at once. Anything that makes the problem worse
> without a really big payoff is insane.
I very much concur with Barney's sentiment, but I would also point out
that our decisions for various sysctl settings should be based on sound
network engineering practices. If we mimic some OS by trying to
replicate something stupid that it does, then we've compromised sound
network engineering. It reeks of the "deny ICMP" stupidity you so often
see in firewall configs.
OTOH, I think understanding why different OSes fingerprint differently
is an extremely interesting pursuit, and good studies describing the
many different strategies are fascinating if done well (not just the
usual "this OS has its head up its ass" commentary, but really delve in
to see "oh *that's* why they do that"). This "comparative literature"
approach could build consensus for what the "right" approaches are and
understanding of the reasonable alternatives. It may be that more
consensus in approach would change the viability of fingerprinting
anyway, and then for good reasons.
--ckg
More information about the freebsd-net
mailing list