I am trying to log the "Passive Operating System Fingerprinting" of
connections inside my PF and I guess I don't know if that's possible. Is
it possible to do so?
I have a list of 46K computers that from the logs are all the same OS,
patch, etc and I want to get the OSFP of it to see what it might be and
if that's the only connection with that specific signature.
The reason I want to do this is that I am still working on my attack
that I posted on the list and I did much progress on it.
Many, many interesting things came out of it so far.
Looks like this attack is more interested in drawing huge traffic for
the servers, oppose to make it unresponsive. Or may be the setup for the
standard DDoS is working plenty well that it doesn't work the standard
way and this is a new type. I don't really know for sure at this time.
But for sure this attack doesn't response to redirect, so that's one way
to control it so far as legitimate traffic is redirected and bad one is
kill and log.
All the bad one always have the same OS log entry, so I wonder if that
would have the same OSFP and that's why I want to log it and see.
One thing I don't know is if let say this is from a webbot network,
would the signature of the packets coming in would be different when
sent from the compromise software on the victims computers and if that
connection is coming form the normal browser on the same connection if
the signature would be different. I don't know that and I think it would
be the same I guess as I don't know much about these webbot stuff. I
think it might be possible that the signature would be different as I
assume that these software needs to be not detectable from the users,
etc. Any thought on this?
In any case, I would love to log the signature if at all possible and
the study the results.
Best,
Daniel
