O Fingerprint Scrambling

The best way to defend against fingerprinting attempts is to modify the defining characteristics of network listening hosts and services to further masquerade the identity of the system. Change configurable values of services to emulate those of different but similar services on a completely separate architecture.

The more ways you can mask the identity of the operating system and services, the less likely their true identity will be easily discovered. When making these modifications, however, stay with a single theme so inconsistencies are minimized. To make a Linux server appear to be a Microsoft Windows Server, for example, change as many items as possible to make it appear as a Windows server, keeping in mind the type and versions of applications that correspond with the system to be emulated.

In the case of a web server, the next items you'll want to modify are the error pages. Change all error pages so the web server emulates a desired environment, or make them purposely ambiguous in the event any kind of error occurs (client navigation errors, script crashes, and so on). You can do this in the httpd.conf file. Here is an example of how to configure custom error pages from apache.org:

ErrorDocument 500 /cgi-bin/crash-recover

ErrorDocument 500 "Sorry, our script crashed. Oh dear"

ErrorDocument 500 http://xxx/

ErrorDocument 404 /Lame excuses/not found.html

ErrorDocument 401 /Subscription/how to subscribe.html

The next step would be to copy error pages from a Windows IIS Server or other service and platform combination to the Linux Apache Server and configure the above mappings to point to the new obfuscated files. On a Windows 2003 IIS 6.0 server, the default error pages can be found in C:\Windows\Help\iisHelp\common\.

Modifying the error pages, however, is just the beginning. You can also modify IPv4 network protocol parameters to change the way systems communicate on the network. They can be configured to behave in a manner similar to a different operating system or be modified to provide maximum protection against external attacks. In either case, the end result is to obfuscate the identity of the operating system, but the latter suggestion provides more inherent value. Table 5-1 lists the options that can be configured for IPv4 in Linux.

icmp echo ignore all

ipfrag low thresh

tcp

max tw buckets

icmp echo ignore

ipfrag max dist

tcp

mem

broadcasts

icmp ignore bogus

ipfrag secret interval

tcp

orphan retries

error responses

icmp ratelimit

ipfrag time

tcp

reordering

icmp ratemask

neigh

tcp

retrans collapse

igmp max memberships

netfilter

tcp

retriesl

igmp max msf

route

tcp

retries2

inet peer gc maxtime

tcp abort on overflow

tcp

rfc1337

inet peer gc mintime

tcp adv win scale

tcp

rmem

inet peer maxttl

tcp app win

tcp

sack

inet peer minttl

tcp dsack

tcp

stdurg

inet peer threshold

tcp ecn

tcp

syn retries

ip autoconfig

tcp fack

tcp

synack retries

ip conntrack max

tcp fin timeout

tcp

syncookies

ip default ttl

tcp frto

tcp

timestamps

ip dynaddr

tcp keepalive intvl

tcp

tw recycle

ip forward

tcp keepalive probes

tcp

tw reuse

ip local port range

tcp keepalive time

tcp

westwood

ip no pmtu disc

tcp low latency

tcp

window scaling

ip nonlocal bind

tcp max orphans

tcp

wmem

ipfrag high thresh

tcp max syn backlog

Table 5-1 IPv4 Configurable Parameters

Table 5-1 IPv4 Configurable Parameters

The next example shows a brief illustration of some parameters you can modify to prevent a SYN flood attack, as well as ways to change the TCP fingerprint of the respective system.

tcp_max_syn_backlog This parameter defines how many half-open connections can be retained by the backlog queue. Half-open connections are those for which a SYN packet has been received, a SYN/ACK packet has been sent, and an ACK packet has not yet been received. You can easily create a denial of service situation if the tcp_max_syn_ backlog setting is low and the timeout value is high. Once the backlog value has been reached, the system cannot receive any more connections until the existing ones are either established or timed out. The tcp_max_syn_backlog should be set to 2048. This setting can be configured with the following command line, depending on the Linux distribution:

# sysctl -w net.ipv4.tcp max syn backlog="20 48"

tcp_synack_retries This parameter controls the number of SYN/ACK retransmissions. By default, this value is set to 5 in most Linux distributions (which causes half-open connections to be removed after 3 minutes if no valid ACK packet is received). However, you can be reduce this value to allow shorter timeouts. The following values apply: value = 5 (3 minutes), value = 3 (45 seconds), value = 2 (21 seconds), value = 1 (9 seconds). Take care not to set the values too low, as low values will create a denial of service by design if legitimate network traffic from remote destinations takes longer to traverse the Internet than the configured retransmission value. This setting can be configured with the following command line, depending on the Linux distribution:

# sysctl -w net.ipv4.tcp synack retries ="3"

tcp_syncookies This parameter is very useful in thwarting SYN Flood attacks, especially when source addresses are spoofed. Changing this setting to 1 bypasses the backlog queue by creating a cookie based on the connection socket. More specifically, when a SYN packet is received, a SYN/ACK packet is constructed having a specially crafted initial sequence number (ISN), also called a cookie. Unlike the default configuration, the ISN is not a pseudo-random number but is generated by hashing the connection socket (source address, source port, destination address, and destination port) with some secret values. The system will not actually open a connection until it receives an ACK packet having the respective cookie. Therefore, spoofed SYN packets cannot monopolize connections on the server. This setting can be configured with the following command line, depending on the Linux distribution:

# sysctl -w net.ipv4.tcp syncookies="1"

If the configuration setting is of no interest or not feasible, several firewalls are on the market that have an innate ability to scramble the fingerprints of the hosts they protect, as well as defend against attacks like SYN Floods. Checkpoint Smart Defense module has this built-in ability, and enabling it is as simple as clicking a button and applying the policy.

IPTables, which is actually a configuration and maintenance tool for the NetFilter framework and is already included in nearly all default Linux distributions, can also be modified to scramble fingerprints. The website http://en.hakin9.org has a lengthy but great whitepaper on fingerprint scrambling. Written by Jaros Sajko and published on August 1, 2006, it provides detailed instructions on how to create custom IPTables extensions to perform fingerprint scrambling.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment