[unisog] Consumer-grade networking in Residence Halls

kevin_amorin@harvard.edu kevin_amorin at harvard.edu
Fri Sep 2 21:36:04 GMT 2005

> What utilities and methods have others on this list used on their
> campuses?

We have been using DHCP fingerprinting to detect host OS.  The order of
the requested options in the DHCPDISCOVER is can usually uniquely
identify the OS.  Some guys at University of Kansas published a SysAdmin
article on it a while back (02/05), and we now keep the signature file
updated.  This is also very handy in detecting NAT devices since
Linksys, Netgears, etc each have identifiable DHCP option sets.

We also run custom snort signatures to look for NAT devices.  If a
packet with a decremented TTL (63,127,254) is seen on the local
network, the source MAC is likely that of a NAT device.  Some devices,
like the Cisco PIX, don't appear to decrement TTLs.  This isn't a 100%
solution, but we've found it to be "good enough" when combined with DHCP
fingerprinting and OUI lookups.

Dave LaPorte and I have added DCHP fingerprint functionality to
PacketFence (http://sourceforge.net/projects/packetfence/).  The
distribution includes up to date DHCP fingerprint signatures and simple
snort signature for TTL decrement detection.  Special thanks to Robert
Lowe for the TTL-based NAT detection idea and for pointing us to the
SysAdmin article.

We do not hold a a position on whether or not NATs are a good thing(tm),
we just offer the functionality.  :)

Kevin Amorin
Sr. Security & Network Engineer
KAmorin at Harvard.edu
JFK School of Government
Harvard University

PGP: D6BB 5665 BD1A 43ED 9AB8
           EFEB 3CCD 55D7 C13C 34BF

More information about the unisog mailing list