Passive OS fingerprinting added to netfilter

By Jake Edge
June 10, 2009

The Linux packet filtering framework, netfilter, recently added a new capability: passive operating system fingerprinting (OSF). By observing the initial packet of a TCP/IP connection, the OSF module can often determine the operating system at the other end. Putting that capability into netfilter will allow administrators to use OS information as part of the rules they specify (for a firewall or other packet filtering application) with iptables.

Evgeniy Polyakov announced on his weblog that his implementation of OSF had been added to the netfilter tree. Some six years in the making for Linux, the feature has long been available for OpenBSD. The basic idea is that the network packets sent by a particular OS use different values for various TCP parameters. These values along with the order and value of the TCP options field, are unique enough to identify the OS and which version of the OS is running (generally within a range of versions).

This is considered passive fingerprinting because normal network traffic is examined, so there is nothing for the other end to notice—possibly changing its behavior. Nmap and other tools can do active fingerprinting, which means they generate traffic of various kinds to get a more accurate picture of the remote system. Active fingerprinting can be detected, but either kind of fingerprinting can be fooled by a system that takes steps to obscure its fingerprint—or emulate a different OS entirely.

Currently, in order to use OSF, one must patch the kernel and build user-space tools, but that will likely change with the 2.6.31 kernel—at least for the xt_osf.ko kernel module. The user-space tools (an iptables which is OSF-aware as well as a utility to dynamically load fingerprint information) may lag, depending on the distribution. A fingerprint file is available from OpenBSD, and can be used directly by the nfnl_osf utility to load the fingerprints into the kernel.

Packet filtering based on the remote OS has a number of potential uses, from defending against a virus or denial of service attack that only comes from a particular OS to recognizing vulnerable OS installations on the network. As with most security tools, it can be used for good or ill, but it is a capability that mainline Linux has long lacked. It is nice to see that change.

Index entries for this article
Security	Linux kernel/Netfilter
Security	Tools/OS detection

to post comments

been waiting for this for a while now...!

Posted Jun 11, 2009 1:20 UTC (Thu) by sitaram (guest, #5959) [Link] (1 responses)

best news I've heard all day today (but it's only 6:45am here in India)

I've long disallowed IE users access to the 'net through the proxy server I admin at work, but that only uses the user agent header, which can be faked.

But once this wends its way through and becomes part of a default install, I'd love to use this to stop such shenanigans, and even more critical ones like infected machines calling out to their mommys, for instance.

Things like Cisco NAC try to look deep inside a PC's software config to see if it's OK to allow the machine to connect, but I don't believe this actually makes a big difference. I've seen the best protected machines get hacked, and malware piled on that the most uptodate AV couldn't detect.

And so I've never had any compunction (in my own little world) about "encouraging" people to stop using Windows. This will be a real boost to that effort!

Take that, Cisco NAC ;-)

been waiting for this for a while now...!

Posted Jun 19, 2009 2:58 UTC (Fri) by mgalgoci (guest, #24168) [Link]

NAC in general sucks and most people end up ripping it out after a few months.