Avoid OS detection on OpenBSD

You know what we say about OpenBSD : Free, Functional, and... *Secure*.

OpenBSD Logo

Hosting a public server can lead to many different attacks. Mostly random attacks, but you may be targeted by a "real attacker" who, at first, will gather informations such as the kind of operating system you are running.

Actually, finding what system runs on a server is easy, with Nmap here is a simple way to check what system runs on my gaming computer :

lina@blog:~$ doas nmap -sS -O

Nmap scan report for gaming-pc.cagedmonster.net (
Host is up (0.00032s latency).
Not shown: 991 filtered ports
MAC Address: 74:D0:2B:9C:B3:A9 (Asustek Computer)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 10 build 10586 - 14393 (95%), Microsoft Windows Phone 7.5 or 8.0 (94%), Microsoft 
Windows 10 build 10586 (93%), Microsoft Windows Server 2008 R2 or Windows 8.1 (93%), Microsoft Windows 7 Professional or 
Windows 8 (93%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (93%), Microsoft Windows 
Embedded Standard 7 (93%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (93%), Microsoft Windows 
Server 2008 R2 (91%), Microsoft Windows Server 2008 SP1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.31 seconds

OS detection tools use a lot of datas like :

  • TCP ISN sampling
  • TCP options support and ordering
  • IP ID sampling
  • Window size check...

But... because we are running OpenBSD and using its powerfull firefall named PacketFilter, we can do something about this.

Packet Normalization under PacketFilter is called Scrubbing. It will reassemble fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations. Many options are built with Scrub, you can check them here.

We will focus on these two options :

  • random-id

    • Replaces the IP identification field of outgoing packets with random values to compensate for operating systems that use predictable values. This option only applies to outgoing packets that are not fragmented after the optional packet reassembly.
  • no-df

    • Clears the don't fragment bit from the IP packet header. Some operating systems are known to generate fragmented packets with the don't fragment bit set. This is particularly true with NFS. Scrub will drop such packets unless the no-df option is specified. Because some operating systems generate don't fragment packets with a zero IP identification header field, using no-df in conjunction with random-id is recommended.

Let's try that and see what happens :

# vi /etc/pf.conf

match all scrub (no-df random-id)

# pfctl -f /etc/pf.conf

Let's scan our OpenBSD server and see what's the result :

Uptime guess: 0.000 days (since Mon Jun 26 13:48:37 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Randomized

Yeah, good luck with that ! \o/

Need help ?