port scanning; OS-fingerprinting; network scanning; dynamic middleware
bits per day. This excludes intranet traffic. Meanwhile, University of Hawaii estimated that the number of grains of sands on all beaches in the world be approximated at 7.5×1018
2. Background and Aims
3. Network and Host Fingerprinting: An Attacker Perspective
Time-to-Live (TTL) Value: Several OSs set different initial TTL values. For example, Windows 10 (Microsoft Corporation, Redmond, WA, U.S.A) uses a default value of 128; Linux use 64 and Solaris (Oracle Solaris, Redwood Shores, CA, U.S.A) use 254.
TCP-Initial Sequence Number (ISN): Even though almost every OS uses non-guessable ISN (after Kevin Mitnik’s famous attack), the microscopic drift in the Central processing unit (CPU) clock cycle is used in the literature to enumerate the number of hosts inside a Network Address Translated (NATed) network.Even though every host behind a corporate network uses Network Time protocol (NTP) to synchronize their clocks, there is always a microscopic drift in their clock. This is due to inaccuracy in the clock crystals. The TCP-ISN generation algorithm uses the system clock information for the randomization process. For a host outside a NATed network, every connection appears to originate from a single IP (or a small pool of IP) source. However, the microscopic drift in the individual computer’s Realtime clock inside a NATed network is exploited to count the number hosts behind a NATed network.
There are few TCP options that will not reveal the OS information by itself. However, it can be used along with other parameters to narrow down the OS detection. They are TCP-timestamp option, Window Scaling, Maximum Segment Size (MSS), and Explicit Congestion Notification (ECN).
IP-Identification field (IP-ID): The IP-ID field is a 16-bit field in the IP header. IP packets can also be tagged with a Don’t Fragment (DF) bit, in which case the ID field can be ignored. Since the source host has no knowledge about the path-MTU (maximum transmission unit), every IP packet contains a unique IP-ID value. Windows 95, 98 and NT family increment the IP-ID field by 128, rather than 1. From Windows 2000, it was set to 1 like any other OS. Currently, IP-ID did not reveal much of information about OS; however, different IP-ID mappings are used to enumerate the number of hosts inside a NATed environment. When replying to an ICMP-Echo message, Linux kernel use an IP-ID value of 0 and the Don’t Fragment (DF) Flag set to 1. This makes it easy for the attacker to identify Linux kernel.
If a TCP-synchronize (TCP-SYN) or a TCP-Finish (TCP-FIN) segment is sent to a closed port, different OS running on a host will behave differently. This will facilitate OS detection.
4. Port Scanning
TCP-connect(): This is a traditional way of making a TCP system call to establish a connection to an interesting port in a target host. If the destination host is listening on a particular port, the connect() request will succeed; otherwise, the port is unreachable. This method has the following two best advantages compared with other methods: the first advantage is that it does not require any administrative privilege to launch this request. The second one is the speed. The attacker can hasten the scan using many sockets in parallel. However, the downside is that this type of scan can be easily detected and can be filtered.
TCP SYN scanning: the attacker sends a TCP-SYN packet as if he is going to open a “real” connection and waits for the SYN-Acknowledgement (SYN-ACK). A SYN-ACK indicates that the port is open and listening. A TCP-Reset (TCP-RST) indicates that the port is either not available or not willing to accept a connection at this point of time. Since we are trying to establish a “Simplex” connection between the attacker and the target host, this technique is often referred to as “half-open” scanning. One of the disadvantages is that newer firewalls immediately issue a TCP-RST segment without even referring the packet to the destination host.
TCP-FIN Scanning: This method is used to overcome the disadvantage of the TCP-SYN scanning. Newer firewalls and packet-filters watch for any TCP-SYN segment sent to a prohibited port (i.e. ports that are not open). Once a series of TCP-SYN is detected, they block the attacker’s IP address either permanently, or for a timeout period. However, if an attacker transmit a TCP-Finish (TCP-FIN) segment to a closed port, the host tends to reply to the TCP-FIN segment with a proper TCP-RST. TCP-FIN segments may pass through the network without getting detected.
5. SDMw: The Secure Dynamic Middleware Architecture
5.1. The SDMw Architecture
5.1.1. The Unified Header Generation Algorithm (UHGA)
5.1.2. SDMw Placement
5.1.3. The SDMw Black Box
5.1.4. Connectionless Datagram Service from Inside Hosts
5.1.5. Connection-Oriented TCP Service from Inside Hosts
5.1.6. Connection from External Hosts to an Internal Host
5.2. The Performance of the SDMw System
If the protocol number in the IP packet is 1 (ICMP), we keep the source and the destination IP address unchanged. We change IP-ID field and flags to reflect the underlying TCP/IP kernel behavior (as SDMw is using the native Linux kernel behavior). We then record the time in which the packet was forwarded to CARD2. The difference between the two timestamps gives us the latency due to SDMw processing, which includes OS scheduling latency. To minimize the latency due to running system services, we ran the system with only essential drivers and services. When a reply comes from the server, we simply forward it to the destination host without any modification.
If the protocol number in the IP packet is 6 (TCP), as before, we record the time at which the packet was received. We then inspect the TCP flag to determine its type.
If the received segment is a SYN (say with initial sequence number ISNo
) frame, then the source host is trying to establish a new TCP connection with the server. In this case, the SDMw system creates a new ISN (ISNn), based on the underlying Linux kernel and records the mapping between <ISNo, ISNn
> in the translational table. Except for the socket information, SDMw modifies other TCP window parameters to reflect the underlying Linux behavior. The modified TCP segment is wrapped on to an IP packet, time-stamped and sent to the Server through CARD2.
Whenever a reply (SYN-ACK for ISNn
) arrives from the server, based on the translational table, SDMw must translate the SYN-ACK for ISNo
If a DATA segment with an implicit ACK is received from an inside host, then it must be a part of an on-going connection. The Sequence (SEQ) number for the DATA component must be changed by the SDMw using the translational table. This is to reflect the change in the ISN. SDMw adds (ISNn
) to the original SEQ number given by the host’s TCP segment to reflect the new SEQ number.Since the SEQ number from the down-stream traffic (server to host) is unchanged by SDMw, the implicit ACK for the segment from the server is unchanged.
If a DATA segment from the server is received addressed to an inside host, the SEQ numbers pertaining to the DATA are unchanged. However, any implicit ACK (for the up-stream traffic) from the server is changed to reflect the implicit ACK for the original TCP-DATA segment from the host using the translational table.
If the received TCP-segment is a FIN segment from a host, similar to the DATA segment, the SEQ number for the FIN segment is changed to reflect the change in the ISN.Any FIN segment from the down-stream traffic is unchanged.
SDMw introduces the following latency for connection-oriented and connectionless IP services:
The protocol field of the incoming IP packet needs to be examined in order to perform the correct action.
For a connectionless IP or UDP services, only the IP-ID and flag fields needs to be changed. There is no need to maintain any reference table information.
For a connection-oriented TCP service, the latency depends on whether the incoming segment is a TCP-SYN or a DATA/ACK/FIN segment. For a new connection, SDMw must create a new ISN depending on the OS fingerprint in use, and create a mapping between the incoming ISN and the new ISN in the translational table. DATA/ACK/FIN segments are a part of an ongoing TCP connection. In this case, based on the socket information, SDMw searches the table finds the <ISNo
> mapping. Based on this mapping, the Sequence number field in the TCP segment must be updated. For DATA/ACK/FIN segments, SDMw introduces table-lookup latency along with Sequence number updating latency.
In this paper, we proposed a novel idea to misguide an attacker during the fingerprinting process. We call our proposed system SDMw–Secure Dynamic Middleware. Our proposed system has several advantages compared with similar models or systems that attempt to prevent fingerprinting by hackers:
Systems that try to defeat fingerprinting or hide the network particularly from NMAP expose themselves to fingerprinting. However, our proposed system misguides the attacker by showing different OS characteristics at different times.
The SDMw system does not introduce severe latency. Since the SDMw system is rewriting the header, NAT can be incorporated with SDMw. In addition, SOCKS5 can be integrated with SDMw as well.
The SDMw system may be used effectively as a Firewall. Since the SDMw system acts like a proxy, it can inspect incoming packets and decide whether to allow the packet into the external network or not. Unlike traditional firewalls, our proposed SDMw system can implement firewall rules based on either a single machine or a port or groups of hosts.
Conflicts of Interest
- Cisco, Global IP Traffic Forecast and Methodology. 2006–2011. Available online: http://www.hbtf.org/files/cisco_IPforecast.pdf (accessed on 25 September 2017).
- Davidoff, S.; Ham, J. Network Forensics: Tracking Hackers through Cyberspace; Prentice Hall Publication: Upper Saddle River, NJ, USA, 2012. [Google Scholar]
- Gordon Foydor Lyon. Nmap: The Network Mapper-Free Security Scanner. Available online: https://nmap.org (accessed on 25 September 2017).
- Kohno, T.; Broido, A.; Claffy, K. Remote physical device fingerprinting. IEEE Trans. Dependable Secur. Comput. 2005, 2, 93–108. [Google Scholar] [CrossRef]
- Shamsi, Z.; Nandwani, A.; Leonard, D.; Loguinov, D. Hershel: Single-Packet OS Fingerprinting. IEEE/ACM Trans. Netw. 2016, 24, 2196–2209. [Google Scholar] [CrossRef]
- Gordon Foydor Lyon. The Art of Port Scanning; Phrack Magazine. Phrack Magazine. 1997, Volume 7. Available online: http://phrack.org/issues/51/11.html#article (accessed on 25 Septmcer 2017).
- Gordon Foydor Lyon. Nmap, Network Scanning; Pub. Insecure; Com: Sunnyvale, CA, USA, 2008. [Google Scholar]
- Dokas, P.; Ertoz, L.; Kumar, V.; Lazarevic, A.; Srivastava, J.; Tan, P. Data mining for network intrusion detection. In Proceedings of the NSF Workshop on Next Generation Data Mining, Baltimore, MD, USA, 1–3 November 2002; pp. 21–30. [Google Scholar]
- Soniya, B.; Wisey, M. Detection of TCP SYN scanning using Packet counts and neural network. In Proceedings of the IEEE International Conference on Signal Image Technology and Internet Based Systems, SITIS, Bali, Indonesia, 30 November–3 December 2008; pp. 646–649. [Google Scholar]
- Baig, H.U.; Kamran, F. Detection of Port and network scan using time independent feature set. In Proceedings of the IEEE Conference on Intelligence and Security Informatics, New Brunswick, NJ, USA, 23–24 May 2007; pp. 180–184. [Google Scholar]
- Leckie, C.; Kotagiri, R. A probabilistic approach to detecting network scans. In Proceedings of the Eighth IEEE Network Operations and Management symposium (NOMS), Florence, Italy, 15–19 April 2002; pp. 359–372. [Google Scholar]
- Fall, K.R.; Richard Stevens, W. TCP/IP Illustrated, Volume 1: The Protocols; Addison-Wesley Professional Computing: Boston, MA, USA, 2012. [Google Scholar]
- Naga Raju, P. State-of-Art Intrusion Detection: Technologies, Challenges and Evaluation. Master Thesis, Linkoping University, Linköping, Sweden, 2005. [Google Scholar]
© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).