14.03.2005 22:54

Recognizing a computer remotely

I got a paper recently entitled "Remote physical device fingerprinting". The main author is T. Kohno.

The thing is about beeing able to say that one machine we have a trace (a number of packets) from is the same that the one another trace comes from. Clock skew, and the way it changes TCP Timestamp option, is used.

The machines the authors observed had constant clock skew. It looks that there's a method to recognize them this way, but... It's easy to trick it: disable the option, use lower clock resolution or randomize a number of bits from the timestamp.

This work doesn't mean that privacy in the Net has ended (as the article on zdnet) suggests. The idea is interesting, but may be hard to use, especially to trace a very big number of machines. It's much more usable (at this time) to find out that the machine we're observing is a physical one, not emulated (using honeyd or similar software). It's because the emulator implementation is not perfect and its' timestamps don't work as ones from the real systems. But that's only a matter of time...

When we want to recognize the computer, we need more than this one method (OS fingerprinting uses a big number of tests).

I have found the differences in network stacks especially interesting. And the method to make Windows send timestamps (it doesn't by default in certain versions) is absolutely cool (read: the implementation is poor).

The paper (PDF format) can be downloaded from CAIDA or from author's site.

Warning: CAIDA wersion is 10MB (15 pages).

Posted by Mara | Categories: Security