Mike Frantzen's homepage	p0f fingerprinting	PF homepage

OS Fingerprinting in OpenBSD's PF Firewall

While you're here, please help populate our OS database at http://lcamtuf.coredump.cx/p0f-help/ by simply going there and typing in your operating system name.

Filtering by Operating System

The goal of this work is to allow firewalling decisions to take place based not only on the source of a connection, but the operating system of that source.

How?

Modern TCP stacks are complex beasts. Even those that were derived off the original BSD stacks have significantly diverged over the years. As a result, most stacks exhibit different nuances which can be detected and mapped back to the originating operating system. By fingerprinting the OS of a TCP SYN packet, we can expose the operating system to the filter language and live happily ever after.

but, but, but...

An attacker can EASILY spoof the nuances to appear as any operating system he chooses so why is this useful? Passive fingerprinting is not then a security feature. But it still has utility as a policy feature. It allows the firewall administrator to treat different operating systems differently considering that most, if not all of his users will not know enough to masquerade as something else.

Most email worms are propagated by Windows machines connecting to SMTP ports. I trust UNIX mail servers far more than Windows ones, so maybe I want to restrict Windows clients to a total of one connection to my SMTP port. Maybe I'm an ISP and want to limit the bandwidth of Windows SMTP traffic since it is more likely to be junk.

Or maybe I'm a corporate firewall administrator who wants to redirect all older versions of Windows to a web server telling them to upgrade if they want internet access.

Or maybe I think SCO sucks sweaty monkey balls and their customers should be redirected to a web page of ranting and ravings about why they should cancel their contracts or somesuch.

Or maybe I'm an asshole (how'd you know?) and don't want Windows NT machines to have access to my web server since one once fell on my foot. Not really but they make some pretty good foot warmers.

GIMME!!!!

Didn't your mother ever teach you to say please? I'm not a drug dealer you know. Ok ok, it has been committed to OpenBSD -current (3.4-beta). I do take payment in the form of alcohol and gold bullion (you carry it).

Helping out

So you want to help. Well, I ran out of beer doing this, you can send me more beer. Or more importantly, you can help out by going to http://lcamtuf.coredump.cx/p0f-help/ and making sure that it detects your operating system. Better yet would be to log onto that with as many operating systems as possible.

You can support the OpenBSD work by buying a CD, a t-shirt, a poster, or even making a donation at http://www.openbsd.org/orders.html. It helps!

Credits

Mike Frantzen added passive operating system fingerprinting to OpenBSD's PF firewall.

Michal Zalewski wrote the p0f passive OS fingerprinting work from which this is derived, he collects the fingerprints, and none of this would have been possible without his help. Send him beer too.

Some comments from Theo de Raadt, Henning Brauer, Daniel Hartmeier and Markus Friedl. Send them beer too. Well, maybe not Henning, he doesn't drink ;-)