On Sat, 3 Jun 2000, Stephen P. Berry wrote:
> What I'm mildly surprised about is that the prevalence of IP fingerprinting
> tools of nmap and queso hasn't resulted in more code for actively thwarting
> such scans. By their very nature the heuristics for such scans tend
> be fairly brittle and suceptable to spoofing.
I suspect that thwarting such scans isn't that high on many people's radar
because if you've actively secured a site OS information isn't generally
exploitable. I am surprised that the Open Source community hasn't
produced patches to emulate different behaviour though.
I also think that those who are most likely to be harmed by
fingerprinting are those least likely to deploy anything that thwarts it.
Certianly one of the packet filtering firewall vendors should see this as
a marketing oppertunity if nobody starts hacking on IPFilter first (If I
get time to do this it'll be a miricle.)
> In addition to `active' fingerprinting (as done by nmap and queso),
> remote OS identification can be accomplished by what Lance Spitzner
> calls `passive' fingerprinting. See:
>
> http://www.enteract.com/~lspitz/finger.html
This is significantly easier to thwart given the information in the paper
and the first-cut tools (IOW at this stage in its life.)
> http://www.meshuggeneh.net/shoki/
>
> ...and has widgetry that does both passive fingerprinting and nmap fingerprint
> foiling.
Interesting toolset! Thanks for providing it.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
