Bugtraq mailing list archives
RE: Identifying Kernel 2.4.x based Linux machines using UDP
From: "Fletcher, Stephen J" <stephen.fletcher () eds com>
Date: Thu, 21 Mar 2002 10:57:04 +1100
I believe this was implemented with the ZeroCopy patch. Setting the sequence number was removed where not needed to speed things up, which was the main function of the ZeroCopy patch. The patch was included in the main tree somewhere around 2.4.8. Regards Stephen -----Original Message----- From: Crist J. Clark [mailto:crist.clark () attbi com] Sent: Wednesday, 20 March 2002 12:44 PM To: Ofir Arkin Cc: bugtraq Subject: Re: Identifying Kernel 2.4.x based Linux machines using UDP On Tue, Mar 19, 2002 at 11:12:36AM +0000, Ofir Arkin wrote:
Subject: Identifying Kernel 2.4.x based Linux machines using UDP Author: Ofir Arkin (ofir () atstake com) Linux Kernel 2.4.x has a bug with the UDP implementation which allows both active and passive fingerprinting of Linux machines based on the 2.4.x Kernel.
This is a feature, not a bug. (IIRC, I am not a Linux developer and do not follow the Linux IP stack development.)
The following is a simple nslookup query initiated from my Kernel 2.4.10 based Linux machine: 03/16-11:49:41.531642 192.168.1.200:1024 -> x.x.x.x:53 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:63 DF
^ ^^ Note that the "Do not Fragment" bit is set. The sole purpose of the IP ID field is to assist in the reassembly of fragmented datagrams. If the packet cannot be fragmented, the IP ID field is useless. The Linux IP stack designers have chosen to use a zero IP ID field when the DF bit is set. I am not a Linux IP developer, but I can think of several arguments to do this. If you are really concerned with IP ID randomness (and strangely enough, some people are), algorthims which produce "good" random numbers tend to be computationally expensive. Why waste the computations on the IP ID when it will never be used in DF packets? Right now, Linux kernels are one of the few to do this, so it is a way to fingerprint. But most everyone on this list knows fingerprinting is usually very easy anyway and is not vulnerability per sae. Also consider that other IP implementations may change to this behavior in the future as it does make some sense. -- Crist J. Clark | cjclark () alum mit edu | cjclark () jhu edu http://people.freebsd.org/~cjc/ | cjc () freebsd org
Current thread:
- Identifying Kernel 2.4.x based Linux machines using UDP Ofir Arkin (Mar 19)
- Re: Identifying Kernel 2.4.x based Linux machines using UDP Crist J. Clark (Mar 20)
- Re: Identifying Kernel 2.4.x based Linux machines using UDP Crist J. Clark (Mar 20)
- Re: Identifying Kernel 2.4.x based Linux machines using UDP Charles-Edouard Ruault (Mar 20)
- Re: Identifying Kernel 2.4.x based Linux machines using UDP Fyodor (Mar 25)
- <Possible follow-ups>
- RE: Identifying Kernel 2.4.x based Linux machines using UDP Fletcher, Stephen J (Mar 20)