Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

not operationally relevant until it's used in the wild

  • From: k claffy
  • Date: Tue Mar 01 20:44:16 2005

but in the interest of full and early disclosure, etc

----- Forwarded message from k claffy <> -----

  Date: Tue, 1 Mar 2005 17:34:27 -0800
  From: k claffy <>
  Subject: [Caida] yoshi's study on remote physical device fingerprinting
  Cc: Tadayoshi Kohno <>
  Yoshi Kohno (doctoral student in UCSD's CSE program) just
  released an eye-opening paper demonstrating methods for remotely
  fingerprinting a physical device without any modification to
  or known cooperation from the fingerprintee.  At a high level,
  these techniques exploit microscopic deviations in device
  hardware: clock skews.  Specifically, they exploit the fact
  that most modern TCP stacks implement the TCP Timestamps Option
  (RFC 1323).  When this option is enabled, outgoing TCPs packets
  leak information about the sender's clock.  Yoshi's results
  further confirm a fundamental reason why securing real-world
  systems is so difficult: it is possible to extract security-relevant
  signals from data canonically considered to be noise. The
  equally disturbing corrolary is that there remain fundamental
  properties of networks that we have yet to integrate into our
  security models.
  please don't forward to any bad guys.  </cough>
  paper and abstract available here:
  	[mirror site]
    Our abstract:  We introduce the area of remote physical device 
    fingerprinting, or fingerprinting a physical device, as opposed to an 
    operating system or class of devices, remotely, and without the 
    fingerprinted device's known cooperation.  We accomplish this goal by 
    exploiting small, microscopic deviations in device hardware: clock 
    skews.  Our techniques do not require any modification to the 
    fingerprinted devices.  Our techniques report consistent measurements 
    when the measurer is thousands of miles, multiple hops, and tens of 
    milliseconds away from the fingerprinted device, and when the 
    fingerprinted device is connected to the Internet from different 
    locations and via different access technologies.  Further, one can 
    apply our passive and semi-passive techniques when the fingerprinted 
    device is behind a NAT or firewall, and also when the device's system 
    time is maintained via NTP or SNTP.  One can use our techniques to 
    obtain information about whether two devices on the Internet, possibly 
    shifted in time or IP addresses, are actually the same physical device. 
     Example applications include: computer forensics; tracking, with some 
    probability, a physical device as it connects to the Internet from 
    different public access points; counting the number of devices behind a 
    NAT even when the devices use constant or random IP IDs; remotely 
    probing a block of addresses to determine if the addresses correspond 
    to virtual hosts, e.g., as part of a virtual honeynet; and 
    unanonymizing anonymized network traces.
  Caida mailing list

----- End forwarded message -----

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.