RE: Identifying Kernel 2.4.x based Linux machines using UDP

From: Fletcher, Stephen J (stephen.fletcherat_private)
Date: Wed Mar 20 2002 - 15:57:04 PST

Next message: Jonathan A. Zdziarski: "[Mozilla Bug #131761] Buffer Overflow in Geck/Netscape 5.0/6.0?"

Previous message: Brian Heathfield: "RE: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging"
Maybe in reply to: Ofir Arkin: "Identifying Kernel 2.4.x based Linux machines using UDP"
Next in thread: Charles-Edouard Ruault: "Re: Identifying Kernel 2.4.x based Linux machines using UDP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I believe this was implemented with the ZeroCopy patch. Setting the sequence
number was removed where not needed to speed things up, which was the main
function of the ZeroCopy patch. The patch was included in the main tree
somewhere around 2.4.8. 

Regards
Stephen

-----Original Message-----
From: Crist J. Clark [mailto:crist.clarkat_private]
Sent: Wednesday, 20 March 2002 12:44 PM
To: Ofir Arkin
Cc: bugtraq
Subject: Re: Identifying Kernel 2.4.x based Linux machines using UDP

On Tue, Mar 19, 2002 at 11:12:36AM +0000, Ofir Arkin wrote:
> Subject: Identifying Kernel 2.4.x based Linux machines using UDP
> 
> Author: Ofir Arkin (ofirat_private)
> 
> 
> Linux Kernel 2.4.x has a bug with the UDP implementation which allows 
> both active and passive fingerprinting of Linux machines based on the 
> 2.4.x Kernel.

This is a feature, not a bug. (IIRC, I am not a Linux developer and do
not follow the Linux IP stack development.)

> The following is a simple nslookup query initiated from my Kernel 2.4.10 
> based Linux machine:
> 
> 03/16-11:49:41.531642 192.168.1.200:1024 -> x.x.x.x:53 UDP TTL:64 
> TOS:0x0 ID:0 IpLen:20 DgmLen:63 DF
             ^                    ^^
Note that the "Do not Fragment" bit is set. The sole purpose of the IP
ID field is to assist in the reassembly of fragmented datagrams. If
the packet cannot be fragmented, the IP ID field is useless. The Linux
IP stack designers have chosen to use a zero IP ID field when the
DF bit is set.

I am not a Linux IP developer, but I can think of several arguments to
do this. If you are really concerned with IP ID randomness (and
strangely enough, some people are), algorthims which produce "good"
random numbers tend to be computationally expensive. Why waste the
computations on the IP ID when it will never be used in DF packets?

Right now, Linux kernels are one of the few to do this, so it is a way
to fingerprint. But most everyone on this list knows fingerprinting is
usually very easy anyway and is not vulnerability per sae. Also
consider that other IP implementations may change to this behavior in
the future as it does make some sense.
-- 
Crist J. Clark                     |     cjclarkat_private
                                   |     cjclarkat_private
http://people.freebsd.org/~cjc/    |     cjcat_private

Next message: Jonathan A. Zdziarski: "[Mozilla Bug #131761] Buffer Overflow in Geck/Netscape 5.0/6.0?"
Previous message: Brian Heathfield: "RE: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging"
Maybe in reply to: Ofir Arkin: "Identifying Kernel 2.4.x based Linux machines using UDP"
Next in thread: Charles-Edouard Ruault: "Re: Identifying Kernel 2.4.x based Linux machines using UDP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 16:48:32 PST