[en] Fingerprinting networking equipment has many potential applications and benefits in network management and security. More generally, it is useful for the understanding of network structures and their behaviors. In this paper, we describe a simple fingerprinting mechanism based on the initial TTL values used by routers to reply to various probing messages. We show that main classes obtained using this simple mechanism are meaningful to distinguish routers platforms. Besides, it comes at a very low additional cost compared to standard active topology discovery measurements. As a proof of concept, we apply our method to gain more insight on the behavior of MPLS routers and to, thus, more accurately quantify their visible/invisible deployment.
Disciplines :
Sciences informatiques
Auteur, co-auteur :
Vanaubel, Yves ; Université de Liège - ULiège > Dép. d'électric., électron. et informat. (Inst.Montefiore) > Réseaux informatiques
Pansiot, Jean-Jacques
Mérindol, Pascal
Donnet, Benoît ; Université de Liège - ULiège > Dép. d'électric., électron. et informat. (Inst.Montefiore) > Algorithmique des grands systèmes
G. F. Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Nmap Project, 2009, see http://nmap.org/book/toc.html.
T. Kohno, A. Broido, and k. claffy, "Remote physical device fingerprinting," IEEE Transactions on Dependable and Secure Computing, Vol. 2, no. 2, pp. 93-108, May 2005.
F. Veysset, O. Courtay, and O. Heen, "New tool and technique for remote operating system fingerprinting," April 2002, see http://www.leetupload.com/database/Misc/Papers/remoteosdetection.pdf.
B. Donnet and T. Friedman, "Internet topology discovery: a survey," IEEE Communications Surveys and Tutorials, Vol. 9, no. 4, December 2007.
K. Keys, "Internet-scale IP alias resolution techniques," ACM SIGCOMM Computer Communication Review, Vol. 40, no. 1, pp. 50-55, January 2010.
N. Davis, "Initial TTL values," November 2011, see http://noahdavids.org/selfpublished/TTLvalues.html.
A. Sebastian, "Default time to live (TTL) values," December 2009, see http://www.binbert.com/blog/2009/12/default-time-to-live-ttl-values/.
J. Postel, "Assigned numbers," Internet Engineering Task Force, RFC 1700, October 1994.
J. Sommers, B. Eriksson, and P. Barford, "On the prevalence and characteristics of MPLS deployments in the open Internet," in ACM SIGCOMM Internet Measurement Conference, November 2011.
B. Donnet, M. Luckie, P. Mérindol, and J.-J. Pansiot, "Revealing MPLS tunnels obscured from traceroute," ACM SIGCOMM Computer Communication Review, Vol. 42, no. 2, pp. 87-93, April 2012.
V. Jacobson et al., "traceroute," UNIX," man page, 1989, see source code: ftp://ftp.ee.lbl.gov/traceroute.tar.gz.
B. Augustin, X. Cuvellier, B. Orgogozo, F. Viger, T. Friedman, M. Latapy, C. Magnien, and R. Teixeira, "Avoiding traceroute anomalies with Paris traceroute," in Proc. ACM SIGCOMM Internet Measurement Conference (IMC), October 2006.
k. claffy, Y. Hyun, K. Keys, M. Fomenkov, and D. Krioukov, "Internet mapping: from art to science," in Proc. IEEE Cybersecurity Applications and Technologies Conference for Homeland Security (CATCH), March 2009.
M. Luckie, "Scamper: a scalable and extensible packet prober for active measurement of the Internet," in ACM SIGCOMM Internet Measurement Conference, November 2010.
B. Donnet, P. Raoult, T. Friedman, and M. Crovella, "Efficient algorithms for large-scale topology discovery," in Proc. ACM SIGMETRICS, June 2005.
L. Jacquin, V. Roca, M. A. Kaafar, F. Schuler, and J. L. Roch, "IBTrack: an ICMP black holes tracker," in Proc. IEEE Global Communications Conference (GLOBECOM), December 2012.
A. Medina, M. Allman, and S. Floyd, "Measuring interactions between transport protocols and middleboxes," in Proc. ACM SIGCOMM Internet Measurement Conference (IMC), October 2004.
M. H. Keio, Y. Nishida, C. Raiciu, A. Greenhalgh, M. Handley, and H. Tokuda, "Is it still possible to extend TCP," in Proc. ACM/USENIX Internet Measurement Conference (IMC), November 2011.
G. Detal, B. Hesmans, O. Bonaventure, Y. Vanaubel, and B. Donnet, "Revealing middlebox interference with tracebox," in Proc. ACM/USENIX Internet Measurement Conference (IMC), October 2013.
E. Rosen, A. Viswanathan, and R. Callon, "Multiprotocol label switching architecture," Internet Engineering Task Force, RFC 3031, January 2001.
R. Bonica, D. Gan, D. Tappan, and C. Pignataro, "ICMP extensions for multiprotocol label switching," Internet Engineering Task Force, RFC 4950, August 2007.
Fyodor, "Remote OS detection via TCP/IP stack fingerprinting," Phrack, Vol. 8, no. 54, October 1998, see http://nmap.org/nmap-fingerprinting- article.txt.
O. Arkin, "A remote active OS fingerprinting tool using ICMP," login: the Magazine of USENIX and Sage, Vol. 27, no. 2, pp. 14-19, October 2002.
J. Padhye and S. Floyd, "Identifying the TCP behavior of web servers," in Proc. ACM SIGCOMM, August 2001.
C. Smith and P. Grundl, "Know your enemy: Passive fingerprinting," March 2002, see http://www.linuxvoodoo.com/resources/ security/finger.
M. Zalewski, "p0f," see http://lcamtuf.coredump.cx/p0f3/.
J. Sherry, E. Katz-Bassett, M. Pimenova, H. V. Madhyastha, T. Anderson, and A. Krishnamurthy, "Resolving IP aliases with prespecified timestamps," in Proc. ACM/USENIX Internet Measurement Conference (IMC), November 2010.
H. V. Madhyastha, T. Isdal, M. Piatek, C. Dixon, T. Anderson, A. Krishnamurthy, and A. Venkataramani, "iPlane: An information plane for distributed services," in Proc. USENIX Symposium on Operating Systems Design and Implementation (OSDI), November 2006.
R. Sherwood, A. Bender, and N. Spring, "Discarte: a disjunctive Internet cartographer," in ACM SIGCOMM, August 2008.