Re: OS Detection Question

[Fyodor <fyodor () insecure org>]

On Fri, 5 May 2000, Mr. Man wrote:

> On Fri, 5 May 2000, Cameron Palmer wrote:
>
> > You'll list off your security measures and say we're lying about the OS
> > type, and how is it your OS masking hasn't introduced a new problem.
>
> What problems might it introduce?  So far I've read of none associated
> with either the Linux patches, or with dropping packets with odd
> combinations of TCP header flags set.  This is not like just turning off
> all ICMP and watching path MTU discovery break.

Attempting to defeat OS detection could cause all sorts of problems.  And
in fact, the current attempts DO cause all sorts of problems.  So far, I
have seen two main tools discussed for this purpose:

iplog -z (or --fool-nmap=true) : The man page for iplog
  (http://ojnk.sourceforge.net/iplog.8.html) states: "Warning: This
  option is dangerous and can set off network traffic storms."

KOSF ( http://www.hit2000.org/kosf/ ): This page says:
   "As most of the systems that kosf can fake utilize the so called
    64K rule, it gets easier to spoof the sequence number. But then again,
    it is probably clear that faking an apple color laserwriter on a high
    load computer is not a very good plan, as the printer was not designed
    for that... "

One of the main OS detection techniques Nmap uses is to ask the machine
what its capabilities are.  If you falsely claim to not have the
capabilities, you could lose important security/efficiency
functionality.  If you falsely claim to have these, you could break
normal programs which expect you to back that up.

Other OS tests involve security -- for example TCP sequence prediction
tests and IP.ID prediction (not currently implemented).  I think
compromising security features of your OS just to obscure the type/version
number is a bad idea.

And it is of course worth noting that true OS stealthing is basically
unachievable.  You may be able to trick nmap with the default arguments,
but skilled attackers may use other tests and can also make inferences
based ont the raw nmap fingerprint.

Clearly, obscuring your OS (even from script kiddies) can have at least
some marginal value.  But I certainly wouldn't risk futzing with my kernel
to achieve them.

Others may (and do) see the tradeoff differently and might consider OS
detection spoofing in some circumstances.  But it seems that almost
everyone agrees that:

1) Never try to mask a real security vulnerability by pretending you are
   using an OS that is not vulnerable.  Fix the hole!
2) Make sure you take care of fundamental security issues like closing
   unused ports, adding your filtering rules, and applying the latest
   patches before worrying about esoteric stuff like OS detection
   spoofing.
3) Don't become complacent or any less vigilant about aggressive security
   maintenance and monitoring just because you think you have hidden your
   OS information.

Cheers,
Fyodor