TCP SYN option VALUES contradict the OS its option order classifies as

net.tcp_syn_anomaly  ·  convicts

networklayer
coherencecategory

What it catches

The value-vs-order tell a hand-crafted TCP stack leaves when it copies a real OS's SYN option LAYOUT (which net.tcp_os_vs_ua's classifier keys on) but not the VALUES that go with it. Grounded in the p0f OS fingerprint corpus (real data): every macOS/iOS (darwin) signature advertises a SMALL TCP window scale (wscale<=4 across the whole p0f database — macOS 1/3/4, iOS 2), so a darwin-ORDERED SYN with wscale>5 is a forged stack, not a real Apple device. Conservative by construction: darwin-only + a margin above the p0f max (4) to 5, so it fires only on a value no real macOS/iOS emits; FP-safe against the option order a real device produces. Motivated by the os-spoof userspace-TCP forger (KS_PROFILE=macos-*), whose crafted darwin SYN carried wscale=6 — the prefix classifier (option order only) missed it, this catches it. EXPERIMENTAL: the analogous Windows/Linux window-scale value-check needs modern real-traffic SYN captures for FP-safe calibration (p0f's window/scale values are dated — modern Windows 10 uses window 64240 not p0f's 8192, and recent Linux uses 64240 not p0f's mss*20), routed to the external queue; only the darwin-wscale case is FP-safe from p0f alone. Arms-race step, not a durable wall: a forger that copies the FULL real signature (correct wscale) escapes — reinforcing that per-node/kernel fingerprint is forgeable and the durable signal is coordination + IP reputation.

Signals it reads

network.tcp_syn_anomaly

How it fires

present

Bypassed by 10

Frontier evaders that reach the detector uncaught (scored only suspicious, defeating every convicting tell) — this check is not one that stops them. The red-team frontier this detection still has to convict.

← all detections