Netsec is Dead(?): Modern Network Fingerprinting for the Darknet
Vlad Iliushin
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
Network fingerprinting — characterizing clients, servers, and connections from TCP/IP and TLS handshake data — is a practical, passive, non-noisy technique for detecting mass scanners, identifying threat actors, and enriching detections without touching Wireshark or dumping a pcap. Vlad Iliushin, who helped found Avast's IoT lab and now works in cyber deception at Elio, walked through the current fingerprinting algorithm landscape (JA3, JA3N, JA4, p0f, and MONFP), showed how specific fingerprints identify Zmap, Masscan, and Shodan, and presented concrete detection and blocking strategies any security team can start using today. ---
AI review
Iliushin comes with a specific, practical, actionable talk on passive network fingerprinting that most defenders are underutilizing. The MONFP VPN overhead discrimination — WireGuard vs. OpenVPN vs. IKEv2 from MSS reduction alone — is the kind of operational detail that separates practitioners from people who read the blog posts.