Re: [PATCH] OpenBSD Networking-related randomization port

[Lorenzo Hernández García-Hierro]

El vie, 28-01-2005 a las 18:40 +0100, Adrian Bunk escribió:
> On Fri, Jan 28, 2005 at 06:17:17PM +0100, Lorenzo Hernández García-Hierro wrote:
> >...
> > As it's impact is minimal (in performance and development/maintenance
> > terms), I recommend to merge it, as it gives a basic prevention for the
> > so-called system fingerprinting (which is used most by "kids" to know
> > how old and insecure could be a target system, many time used as the
> > first, even only-one, data to decide if attack or not the target host)
> > among other things.
> >...
> 
> "basic prevention"?
> I hardly see how this patch makes OS fingerprinting by e.g. Nmap 
> impossible.

That's an example, as you can find at the grsecurity handbook [1]:

"The default Linux TCP/IP-stack has some properties that make it more
vulnerable to prediction-based hacks. By randomizing several items,
predicting the behaviour will be a lot more difficult."

"Randomized IP IDs hinders OS fingerprinting and will keep your machine
from being a bounce for an untraceable portscan."

References:
 [1]: http://www.gentoo.org/proj/en/hardened/grsecurity.xml

Cheers,
PS: Thanks for CC'ing me, I forgot to mention that I'm not subscribed to
the list, I just read the archives and reply by getting the original
mbox-formatted messages. 
-- 
Lorenzo Hernández García-Hierro <lorenzo@xxxxxxx> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

Attachment: signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmadadigitalmente