Passive OS-Fingerprinting with Netflow Data


NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. A NetFlow contains various information, source and destination address, ports, protocols, timestamps and more. A NetFlow collector will gather flows from many different devices (routers, switches, etc.) and visualize communication between hosts on the network. Many commercial and open-source software products exist for this purpose.

The Leibniz Supercomputing Centre of the Bavarian Academy of Sciences and Humanities (LRZ) operates the Munich Scientific Network (MWN). The MWN consists of a backbone network with routers and switches for connecting the networks of the institutions at the various locations. Every communication on this network can be made visible using NetFlow.

OS-Fingerprinting is often done by sending actively packets to a host and evaluating the data that is send back. This will cause additional traffic on the network and load on the system and will also leave traces in the log file. A more stealthy approach is passive OS-Fingerprinting. Many Tools will evaluate the 67-bit signature of TCP/IP-Headers to look up the corresponding OS in a database. This technique however requires a full packet capture - which is very expensive in a high speed network like the MWN. Other passive techniques will evaluate the content of HTTP GET requests. The user-agent will include the OS. This data can be extracted when only looking at the first packet in a HTTP flow. Encryption like TLS might hinder this approach. Since each OS will communicate with its own update service of its developer, it should be possible to identify the OS just by looking at communications patterns in regular Netflow data.

The outcome of this thesis should be a cost-effective and accurate solution for passive OS-Fingerprinting in large-scale, high-speed networks like the MWN.

Outline of this work:

Aufgabensteller: Prof. Dr. Helmut Reiser


Dauer der Diplomarbeit bzw. der Masterarbeit: gemäß Studienordnung

Anzahl Bearbeiter: 1


Last Change: Tue, 13 Aug 2019 11:16:35 +0200 - Viewed on: Mon, 26 Oct 2020 11:04:19 +0100
Copyright © MNM-Team - Impressum / Legal Info  - Datenschutz / Privacy