Passive OS Fingerprinting on Commodity Switches

Abstract:

OS fingerprinting allows network administrators to identify
which operating systems are running on the hosts communicating over their network. This information is useful for
detecting vulnerabilities and for administering OS-related
security policies that block, rate-limit, or redirect traffic. Passive fingerprinting has distinct advantages over active approaches: passive fingerprinting does not generate active
probes that not only introduce additional network load but
could also trigger alarms and get blocked by network address
translators and firewalls. However, existing software-based
passive fingerprinting tools cannot keep up with the traffic
in high-speed networks. This paper presents P40f, a tool
that runs on programmable switch hardware to perform OS
fingerprinting and apply security policies at line rate. P40f
is also self-learning; P40f collects information about traffic
that cannot be fingerprinted so that new fingerprints can be
learned in the future. We present our prototype implemented
with P4 language along with experiments we ran against
packet traces from a campus network.