`Fingerprinting' to unmask anonymous Web surfers

The Hindu Business Line : `Fingerprinting' to unmask anonymous Web surfers

`Fingerprinting' to unmask anonymous Web surfers

Pratap Ravindran

Pune , Jan. 1

THERE is something about the imagined anonymity of cyberspace that encourages even the most cautious to indulge in bizarre behaviour.

Some pursue their more offbeat peccadilloes. Others post sensitive personal information, while yet others transact confidential business on-line. And yet others pester people with offensive correspondence or engage in highly actionable defamation. And finally, some send subversive e-mail messages using fake identities or `anoymising' services such as the one which disrupted the working of Parliament for a few hours recently.

The amusing thing is that they might as well be doing all these things in broad daylight, standing in main square, for all the anonymity that cyberspace provides them.

Every activity on-line, without exception, can be tracked.

To begin with, the type of operating system that is being used can be identified in two different ways: actively or passively. Active OS `fingerprinting' is the most widely used method when analysing a system and involves, among other things, sending crafted, abnormal packets to the remote host and analysing the replies being returned from the remote host. Different TCP stacks give different replies and thereby enable analysers to recognise a particular OS.

However, if the remote host's network is protected by IDS or firewall devices, such attacks can be detected.

Passive OS fingerprinting, on the other hand, does not contact the remote host, but instead captures traffic coming from a connecting host going to the local network.

The fingerprinting is done without the remote host being aware that its packets — in specific, those packets that it sends when it seeks to establish a connection to a host on the local network — are being captured.

Active OS fingerprinting is quicker and a large number of hosts can be scanned in a short period of time. Passive fingerprinting, in comparison, is a considerably slower process and works best on historic data.

Parenthetically, OS fingerprinting is used extensively by black hat attackers to obtain information about a host's OS before mounting an attack.

A meticulous attacker uses OS fingerprinting to gather information from a target network to build up a map of the OS the various hosts are running without triggering the network security devices.

A milestone of sorts was crossed by the good guys in March this year when Tadayoshi Kohno, a doctoral student at the University of California put out a paper in which he revealed that he had found a way to identify computer hardware - as against OS - remotely to unmask anonymous Web surfers.

Tadayoshi Kohno wrote in his research paper: "There are now a number of powerful techniques for remote operating system fingerprinting, that is, remotely determining the operating systems of devices on the Internet. We push this idea further and introduce the notion of remote physical device fingerprinting...without the fingerprinted device's known cooperation."

Internet surveillance groups were enthused to learn that with Kohno's technique, it was possible to track "a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts."

NAT, or network address translation, is a protocol commonly used to make it appear as if machines behind a firewall all retain the same IP address on the public Internet.

Significantly, Kohno added that, "One could also use our techniques to help track laptops as they move, perhaps as part of a Carnivore-like project." Carnivore, it may be recalled, is the Internet surveillance software built by the Federal Bureau of Investigation.

In his paper, Kohno further enumerated some possible forensics applications - for instance, investigators could use his techniques "to argue whether a given laptop was connected to the Internet from a given access location."

Moreover, Kohno's technique could be used to "obtain information about whether two devices on the Internet, possibly shifted in time or IP addresses, are actually the same physical device."

The technique works, Kohno explained, by "exploiting small, microscopic deviations in device hardware: clock skews."

He explained in his paper that, in practice, his techniques, "Exploit the fact that most modern TCP stacks implement the TCP timestamps option from RFC 1323 whereby, for performance purposes, each party in a TCP flow includes information about its perception of time in each outgoing packet."

"A fingerprinter can use the information contained within the TCP headers to estimate a device's clock skew and thereby fingerprint a physical device."

According to Kohno, "Our techniques report consistent measurements when the measurer is thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device, and when the fingerprinted device is connected to the Internet from different locations and via different access technologies."

"Further, one can apply our passive and semi-passive techniques when the fingerprinted device is behind a NAT or firewall."