[IP] remote physical device fingerprinting
From: Kurt Albershardt <kurt@xxxxxx>
To: dave@xxxxxxxxxx
Subject: remote physical device fingerprinting
Date: Fri, 04 Mar 2005 11:41:59 -0800
Interesting paper.
http://www.caida.org/outreach/papers/2005/fingerprinting/
We introduce the area of remote physical device fingerprinting, or
fingerprinting a physical device, as opposed to an operating system or class
of devices, remotely, and without the fingerprinted device's known
cooperation. We accomplish this goal by exploiting small, microscopic
deviations in device hardware: clock skews. Our techniques do not require
any
modification to the fingerprinted devices. Our techniques report consistent
measurements when the measurer is thousands of miles, multiple hops, and
tens
of milliseconds away from the fingerprinted device, and when the
fingerprinted device is connected to the Internet from different locations
and via different access technologies. Further, one can apply our passive
and
semi-passive techniques when the fingerprinted device is behind a NAT or
firewall, and also when the device's system time is maintained via NTP or
SNTP. One can use our techniques to obtain information about whether two
devices on the Internet, possibly shifted in time or IP addresses, are
actually the same physical device. Example applications include: computer
forensics; tracking, with some probability, a physical device as it connects
to the Internet from different public access points; counting the number of
devices behind a NAT even when the devices use constant or random IP IDs;
remotely probing a block of addresses to determine if the addresses
correspond to virtual hosts, e.g., as part of a virtual honeynet; and
unanonymizing anonymized network traces.
--
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/