Great news! ELLIO is launching a new open-source defense tool at Black Hat 2025 – the TCP Fingerprint Firewall. Built on high-performance eBPF technology, this firewall is designed to detect and block malicious scanners using advanced TCP fingerprinting techniques. It’s designed to meet the demands of a fast-moving threat landscape, especially in an era dominated by mass scanning and automated attacks.
- Date: Wednesday, August 6, 2025
- Where: Black Hat Arsenal 2025, Business Hall, Arsenal Station 3
- Presenters: Vlad Iliushin (ELLIO), Ken Webster (Thales)
- Black Hat 2025 website
What is TCP Fingerprint Firewall
TCP Fingerprint Firewall is a new Recon Shield, a high-performance, eBPF-based network security tool that leverages TCP fingerprinting to detect and block malicious and promiscuous network scanners with high speed and accuracy. This open-source solution combines the power of XDP (eXpress Data Path) for inline packet processing with MuonFP’s advanced TCP fingerprinting capabilities, allowing security professionals to identify and block reconnaissance activities before they can map your network infrastructure.
Unlike traditional firewalls that operate on simple port/IP rules, TCP Fingerprint Firewall uses MuonFP-based fingerprints – subtle TCP header characteristics that identify scanning tools like Nmap, ZMap, and Masscan, as well as specific operating systems or device fingerprints.
The innovative pattern matching engine supports wildcards, allowing both precise fingerprint targeting and broader pattern recognition with minimal performance overhead.
About ELLIO
ELLIO is a research lab specializing in real-time detection and in-depth analysis of mass exploitation and recon activity. We uncover attack patterns, anomalies, and emerging threats – delivering actionable IP threat intelligence and tailored solutions to optimize existing resources, mitigate risks, and prevent losses from mass exploitation and network recon.
- IP Threat Intelligence & ELLIO Metadata Repository.
- Central IP Management and Monitoring.
- Intelligent Threat Feeds for Operations.
- Highly Adaptive, Automated IP Blocking.
