There are other ways in which Cisco routers can be identified reliably; sometimes down to the minor release number. We found some of these while gathering information for a paper on remote identification, which will be published at the NordU/USENIX 99 conference in February. Briefly, some of these distinctive characteristics include: - All versions from 10.3 through 11.3 respond to a SYN on an open port with a SYN/ACK with an IP ID field of 0. - Versions from 10.3 through 11.2 respond on closed and open ports to packets not containing ACK, SYN or RST with a RST which contains an incorrect ACK number. On 10.3 and 11.0, we've seen ACK numbers which are either 16 higher or 4 lower than the sequence number sent to the Cisco. On 11.1, we've seen numbers 16 higher than they should be, and on 11.2, the numbers have been 24 lower than expected. The responses do not seem extremely consistent. - versions from 10.3 through 11.1, and possibly others, will continue to resend their SYN/ACK in response to an open-port SYN, even after receiving a valid RST from the machine sending the SYN. Usually, a total of 4 SYN/ACKs are sent by the router. - Since sessions to routers are few and far between, most window sizes returned by Cisco equal the default size used by the IOS. On 10.3 through 11.1, the window wize is 2144. On 11.2, it is 4288. IOS only returns a non-zero window size when making the transition from the TCP listen state to the SYN_RECVD state. -speck Basement Research
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:23 PDT