[unisog] Identifying if node is a router or PC

Frank Bulk frnkblk at iname.com
Tue Jul 17 19:27:18 GMT 2007


Huba:

Those are good ideas, but I was looking for something that didn't require
me to sniff traffic over time.  I was looking for "instant satisfaction" 
and it appears it will take a little bit of work to get the benefit of 
identifying NAT (again, not to be punitive, but to better understand our 
customer's network and accelerate the troubleshooting process.)

This functionality seems like the perfect thing to integrate into Argus
or Snort.

Frank

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Huba Leidenfrost
Sent: Tuesday, July 17, 2007 12:47 AM
To: frnkblk at iname.com, UNIversity Security Operations Group
Subject: Re: [unisog] Identifying if node is a router or PC

Frank,

Assuming you have sniffing access and know which routers are yours on your
networks, why not choose a vantage point and watch TTL values being
decremented and IP ID range shifts?  Only passage through a router should
decrement the TTL value.  IP IDs usually are in a running range from each
other; the same PC from behind a NAT box should have a consistently
incrementing set of IP IDs.  Combine those with User-Agent: string watching
from HTTP packets and you have a pretty decent combination of techniques to
spot your routers vs. PCs.  You could also throw into the mix mining of
netflow data to see which PCs are auto-updating (detect which are visiting
their vendors update site/s).

Anyway, just some thoughts.  If you want some perl code to do the IP ID and
TTL mining, shoot me some email and I can share.  I got some of the code
from an individual at Baylor.edu.  I have not added the "User-Agent" or
netflow mining yet but it's on the huge to-do list of ideas for a rainy day.
Maybe you'd like to add that part. ;-)  I was just interested in seeing how
accurate the TTL + IP ID bit was without too much effort. It's pretty
accurate.

Beauty is in the eye of the beholder and all that,

Huba Leidenfrost
huba at uidaho.edu

_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list