LNCS 2820 - Ambiguity Resolution via Passive OS Fingerprinting

More documents

Recommendations

Info

Ambiguity Resolution via Passive OS Fingerprinting 203 when all available memory resources are consumed, the memory manager calls back into these cache routines to free memory, effectively wiping out as much of the cache as needed for the system to continue monitoring. When memory resources become available again, the cache can be rebuilt. 7 Experiments and Results Using the mapping tool described in Section 4, we were able to map almost 1,200 hosts and identify 42 different operating systems. The TCP options tests gathered 223 unique responses from different operating systems 3 , which is a wealth of information that can be used to identify hosts. Further examination of TCP traffic, as shown in Table 4, yielded several common TCP SYN segments, that show the dispersion of SYNs to cover just over 50% (9 of 16) of the 16 SYNACK sub-tables. Table 4. Common options and variations of a TCP SYN Segment and the corresponding encoded options for the SYNACK sub-table lookup. # TCP options Encoding 1) 1 2) 2 3) 5 4) 5 5) 5 6) 13 7) 7 8) 15 9) 15 10) 15 11) 14 12) 2 13) 9 7.1 Drawbacks This solution suffers from the cold start dilemma: If no traffic has been seen by the IDS for a particular host that can be used to identify its ambiguity resolution policies, then nothing can be done if the first packets the IDS sees contain ambiguities. 3 This number does not consider the TTL value since the TTL varies depending on the path taken from the scanner to the host.
204 G. Taleck The “freshness” of the fingerprint database existing on the IDS is also another potential source of failure. While we do actively maintain our internal fingerprint database as described in Section 4, our current solution does not automatically fetch the latest copy on its own. We rely on the IDS administrators to occasionally refresh the packages . 7.2 Implications Because there does not exist a one-to-one mapping of operating system ambiguity resolution to TCP SYN/SYNACK negotiation behavior, this solution is prone to resolving ambiguities incorrectly. For example, a false negative would result if an administrator changes the default TCP behavior of his or her Windows 2000 server to match that of FreeBSD 5.0, which is then hit with an ambiguity attack for Windows 2000. Since the IDS identified the server as FreeBSD, which has a different ambiguity resolution policy than Windows 2000, the attack would be missed by the IDS. Similarly, false positives can also be generated in this scenario if the attacking IP fragments or TCP segments formatted for FreeBSD. However, note that an attacker is not able to change the IDS’s view of a server the IDS is trying to protect. They will only be able to change the identity of the system from they are connecting. 7.3 Comparison to Related Work 8 Future Work The approach described in this paper can be extended in many other directions, both to increase the accuracy of identifying end host network stacks and in resolving protocol ambiguities. Current passive OS fingerprinting works only with the IP and TCP headers, and even then not to their full extent. Research [21] has shown how web servers operate differently under congestion. The tcpanoly[20] tool uses many passive methods that could be integrated into the detection engine by noting gratuitous ACKing, Reno implementations, and other variations throughout a TCP conversation. The sensor has the ability to use temporal knowledge of a particular IPs passively detected OS fingerprint to statistically guess the OS type in a NATed environment. Passive fingerprinting can also be used to detect NATed hosts. Since NAT typically only rewrites IP addresses, and possibly TCP or UDP ports, and leaves other fields and options unscathed, the IDS can identify a NAT by counting the number of unique fingerprints for the same IP. If a fingerprint radically changes repeatedly in a given amount of time, a NAT can be detected and used more intelligently by the engine. We can increase the confidence level of SYNACK fingerprint lookups by paying closer attention when we cache values. When a SYNACK is cached, its
Page 1 and 2: Ambiguity Resolution via Passive OS
Page 3 and 4: 194 G. Taleck 2.2 Traffic Normaliza
Page 5 and 6: 196 G. Taleck IDS Client Server SYN
Page 7 and 8: 198 G. Taleck Minimal FTP Client FT
Page 9 and 10: 200 G. Taleck Table 2. Encoding of
Page 11: 202 G. Taleck that failed (either t
Page 15: 206 G. Taleck 7. Fyodor: Remote OS

LNCS 2820 - Ambiguity Resolution via Passive OS Fingerprinting

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?