[Corrected Post] - The DF Bit Playground (Identifying Sun Solaris)

[Ofir Arkin <ofir () ITCON-LTD COM>]

RFC 791 defines a three bits field used for various control flags in the IP
Header.

Bit 0 is the reserved flag, and must be zero.

Bit 1, is called the Don’t Fragment flag, and can have two values. A value
of zero
(not set) is equivalent to May Fragment, and a value of one is equivalent to
Don't
Fragment. If this flag is set than the fragmentation of this packet at the
IP level
is not permitted, otherwise it is.

Bit 2, is called the More Fragments bit. It can have two values. A value of
zero is
equivalent to (this is the) Last Fragment, and a value of 1 is equivalent to
More
Fragments (are coming).

The next field in the IP header is the Fragment Offset field, which
identifies the
fragment location relative to the beginning of the original un-fragmented
datagram
(RFC 791, bottom of page 23).

A close examination of the ICMP Query replies would reveal that some
operating systems
would set the DF bit with their replies.

The tcpdump trace below illustrates the reply a Sun Solaris 2.7 box produced
for an
ICMP Echo Request.


17:10:19.538020 if 4  > 195.72.167.220 > x.x.x.x : icmp: echo request (ttl
255, id 13170)
                         4500 0024 3372 0000 ff01 9602 c348 a7dc
                         xxxx xxxx 0800 54a4 8d04 0000 cbe7 bc39
                         8635 0800
17:10:19.905254 if 4  < x.x.x.x > 195.72.167.220: icmp: echo reply (DF) (ttl
233, id 24941)
                         4500 0024 616d 4000 e901 3e07 xxxx xxxx
                         c348 a7dc 0000 5ca4 8d04 0000 cbe7 bc39
                         8635 0800


In the recent SING CVS (12 September 2000), written by Alfredo Andres
Omella, which is
available from http://sourceforge.net/projects/sing, the option for
detecting if the DF
bit is set on an ICMP Query reply was added, after being request by me. The
following
is the same ICMP Echo request & reply, this time it is presented by SING:

[root@godfather bin]# ./sing -echo Host_Address
SINGing to www.openbsd.org (IP_Address): 16 data bytes
16 bytes from IP_Address: icmp_seq=0 DF! ttl=233 TOS=0 time=367.314 ms
16 bytes from IP_Address: icmp_seq=1 DF! ttl=233 TOS=0 time=320.020 ms
16 bytes from IP_Address: icmp_seq=2 DF! ttl=233 TOS=0 time=370.037 ms
16 bytes from IP_Address: icmp_seq=3 DF! ttl=233 TOS=0 time=330.025 ms

--- Host_Address sing statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 320.020/346.849/370.037 ms


Since www.openbsd.org uses a Sun Solaris operating system, it matches our
findings.

ICMP Query replies for an operating system maintains the same behavioral
patterns.
Either they set the DF bit on all ICMP query reply types or they do not.

The following operating systems where queries and checked for this kind of
behavior:
Linux Kernel 2.4 test 2,4,5,6; Linux Kernel 2.2.x; FreeBSD 4.0, 3.4; OpenBSD
2.7,2.6;
NetBSD 1.4.1,1.4.2; BSDI BSD/OS 4.0,3.1; Solaris 2.6,2.7,2.8; HP-UX 10.20,
11.0;
Compaq Tru64 5.0; Aix 4.1,3.2; Irix 6.5.3, 6.5.8; Ultrix 4.2 – 4.5; OpenVMS
v7.1-2;
Novel Netware 5.1 SP1, 5.0, 3.12; Microsoft Windows 98/98SE/ME, Microsoft
Windows NT
WRKS SP6a, Microsoft Windows NT Server SP4, Microsoft Windows 2000 Family.

Only one operating system sets the DF bit on its ICMP Query replies – Sun
Solaris.
It distinguishes Sun Solaris from the other group of operating systems very
easily.

This is a simple operating system fingerprinting method, which does not
require
additional or unusual patterns to be set.

Cheers

Ofir Arkin  [ofir () itcon-ltd com]
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.
http://www.itcon-ltd.com

Personal Web page: http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."