New Interactive Historical IP Timeline is live! Explore here.
News

ELLIO Debuts New Open-Source Recon Shield

3 min read
ELLIO Community Team ELLIO Community Team

At Black Hat 2025, ELLIO is launching a new open-source tool: the TCP Fingerprint Firewall. This Recon Shield, built on high-performance eBPF technology, uses advanced MuonFP-based fingerprints to detect and block malicious scanners in real time.

  • Release Date: August 6, 2025
  • Release Place: Black Hat Arsenal 2025 (Business Hall, Arsenal Station 3)
  • Presenters: Vlad Iliushin (ELLIO), Ken Webster (Thales)
  • The TCP Fingerprint Firewall (Recon Shield) is now available on GitHub
TCP Fingerprint Firewall terminal showing matched IPs with 2006 total detections, displaying rules, hit counts, and timestamps for network security monitoring

What is TCP Fingerprint Firewall

The TCP Fingerprint Firewall is an open-source eBPF-based recon shield that uses MuonFP TCP fingerprints to spot and block malicious network scanners. With XDP (eXpress Data Path) for inline packet processing, this open-source tool helps security teams stop reconnaissance before attackers can map their network.

Traditional Firewalls vs TCP Fingerprint Firewall

Unlike traditional firewalls that operate on simple port/IP rules, TCP Fingerprint Firewall uses MuonFP-based fingerprints – subtle TCP header characteristics that identify scanning tools like Nmap, ZMap, and Masscan, as well as specific operating systems or device fingerprints. The innovative pattern matching engine supports wildcards, allowing both precise fingerprint targeting and broader pattern recognition with minimal performance overhead.

Traditional firewalls typically react after reconnaissance has already occurred. Recon Shield demonstrates a different approach:

  1. Early Detection: Identify scanning attempts based on TCP fingerprints before network mapping occurs
  2. Silent Response: Process packets at the kernel level without response, preventing scanners from confirming your existence
  3. Traffic Analysis: Gain insights about potential threats by monitoring the types of tools attempting to scan your systems
  4. Adaptive Protection: Update fingerprint patterns as new scanning methodologies emerge

Understanding TCP Fingerprints

TCP Fingerprint Firewall dashboard showing 2 fingerprints from IP 192.168.10.145, with 2000 hits dropped and 5 hits passed, displaying MuonFP signatures and timestamps

Every day, thousands of automated scanners probe the internet looking for vulnerable systems. What many security practitioners don't realize is that these scanners can be identified by their distinctive TCP fingerprints, such as specific window sizes, option combinations, and other TCP header characteristics.

Recon Shield demonstrates how these fingerprints can be used not just for identification but for active defense - preventing reconnaissance tools from gathering information about your services. For more on why this matters, see Ken Webster's article "There is No Such Thing as a 'Benign' Internet Scanner".

Core Capabilities

  • MuonFP Integration: Built on Ken Webster's MuonFP methodology for TCP fingerprinting, providing robust identification of network traffic
  • Advanced Fingerprint Analysis: Utilizes window size, TCP options, MSS, and window scale for comprehensive traffic classification
  • eBPF-Powered Performance: Uses XDP (eXpress Data Path) for kernel-level packet filtering with minimal overhead
  • Zero Network Stack Impact: Processes packets before they reach your applications
  • Wildcard Pattern Matching: Flexible fingerprint definitions with wildcard support
  • Real-Time Monitoring Dashboard: Watch TCP fingerprint matches in real-time with the ncurses monitoring UI
  • Kernel-Optimized: Hand-tuned code that satisfies the strict eBPF verifier requirements

Beyond Blocking: TCP Fingerprinting Applications

While Recon Shield demonstrates how TCP fingerprinting can be used to block reconnaissance, the underlying MuonFP technology has broader security applications:

  • Threat Intelligence: Identifying and categorizing traffic by source tools and intentions
  • Traffic Characterization: Understanding the nature of network connections based on their TCP signatures
  • Security Research: Analyzing how different tools and systems interact with networks
  • Attribution: Connecting scanning activities to specific tools, techniques, and potentially threat actors
  • Network Visibility: Gaining deeper insights into the types of systems connecting to your infrastructure

Learn more at GitHub

Discover the TCP Fingerprint Firewall and start using it on GitHub.

About ELLIO

ELLIO is a research-driven lab focused on real-time detection and analysis of network reconnaissance and mass exploitation. We provide threat intelligence at the earliest stages of the attack lifecycle - when adversaries signal intent before impact. ELLIO helps organizations neutralize threats upstream and reduce costs before incidents escalate and become costly.

  • Mass Exploitation and Recon Threat Intelligence
  • Intelligent Threat Feeds for Operations.
  • Blocklist Automation
  • IP Blocklists
  • Recon IP Lists
  • rDNS Lists
Share this article LinkedIn X Bluesky
#Community #Network Fingerprints #Firewall Protection #OpenSourceCybersecurity #MuonFP Network Fingerprint #Scanner Blocking

Written by

ELLIO Community Team
ELLIO Community Team

A team of passionate brand evangelists at ELLIO, connecting and supporting the cybersecurity community through events, knowledge sharing, and collaboration.