Bugtraq mailing list archives

Re: Preventing remote OS detection

From: james () VANEYCK GII GETTY EDU (James Lockwood)
Date: Mon, 22 Feb 1999 14:17:41 -0800


On Mon, 22 Feb 1999, Patrick Gilbert wrote:

A technique exists to determine a remote operating system by sending
obscure tcp
packets and analyzing the response. Two utilites known as queso and nmap
can
determine with enough precision your operating system. This has been
known for quite some time, but I haven't seen much on how to prevent it.


It's probably worth mentioning that IP Filter by Darren Reed can trap
many abnormal packets "in the wild", before the system TCP stack gets a
chance to play with them.  I prefer to swallow up anything that doesn't
fit my filters, but by playing with responses returned when packets with
strange flags are received you can forge another system.

I wouldn't think of running a production internet system without it:

http://coombs.anu.edu.au/~avalon/

--
James D. Lockwood                    The (former) Getty Information Institute
System Administrator                       1200 Getty Center Drive, Suite 300
james () gii getty edu                                Los Angeles, CA 90049-1680

Current thread:

Re: Process table attack (from RISKS Digest), (continued)
- - - Re: Process table attack (from RISKS Digest) James Lockwood (Feb 22)
    - Re: Process table attack (from RISKS Digest) Dirk Moerenhout (Feb 22)
    - Re: Process table attack (from RISKS Digest) unknown () RIVERSTYX NET (Feb 22)
    - Re: Process table attack (from RISKS Digest) Andrew Hobgood (Feb 22)
    - Denial of service process table attacks John Conover (Feb 23)
    - Group kmem exploitable? Oliver Xymoron (Feb 23)
    - Re: Pro/wuFTPD DoS Alex Belits (Feb 21)
  - ISS install.iss security hole Fyodor (Feb 20)
    - Re: ISS install.iss security hole Joel Eriksson (Feb 22)
    - Preventing remote OS detection Patrick Gilbert (Feb 22)
    - Re: Preventing remote OS detection James Lockwood (Feb 22)
    - Re: Preventing remote OS detection route () RESENTMENT INFONEXUS COM (Feb 22)
    - Re: Preventing remote OS detection Salvatore Sanfilippo (Feb 23)
    - Re: ISS install.iss security hole Peter Benie (Feb 22)
    - Re: ISS install.iss security hole Michael Warfield (Feb 22)
    - BlackHats Advisory -- InterScan VirusWall The Unicorn (Feb 22)
    - Microsoft Security Bulletin (MS99-007) aleph1 () UNDERGROUND ORG (Feb 22)