Identifying Operating System Using Flow-Based Traffic Fingerprinting
Many vulnerabilities are operating system specific. Information about the OS of all hosts in a network represents a valuable asset for network administrators. While OS detection in small networks is an easy task, expanding the same process on a large scale becomes a challenge. The weak performance, high speed traffic and large amount of hosts for OS detection are issues to overcome. In this paper we propose a flow based framework for large scale OS detection. Furthermore, we describe the framework implementation into a flow probe, provide performance comparison and share remarks on deployment in a real world network.
KeywordsOS fingerprinting Passive High-throughput p0f Flow
This material is based upon work supported by Cybernetic Proving Ground project (VG20132015103) funded by the Ministry of the Interior of the Czech Republic.
- 1.Barnes, J., Crowley, P.: k-p0f: a high-throughput kernel passive os fingerprinter. In: Architectures for Networking and Communications Systems (ANCS), 2013 ACM/IEEE Symposium on, pp. 113–114 (2013)Google Scholar
- 2.Claise, B., Trammell, B., Aitken, P.: RFC 7011: Specification of the IPFIX Protocol for the Exchange of Flow Information (2013)Google Scholar
- 3.Comer, D., Lin, J.C.: Probing tcp implementations. In: USENIX Summer, pp. 245–255 (1994). http://dblp.uni-trier.de/db/conf/usenix/usenix_su94.html#ComerL94
- 4.INVEA-TECH: FlowMon Exporter - Community Program. http://www.invea-tech.com, [cited 2014–04-15] (2013)
- 5.Lyon, G.F.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure, USA (2009)Google Scholar
- 6.Zalewski, M.: p0f v3. http://lcamtuf.coredump.cx/p0f3/. Accessed 15 April 2014