P40f: Passive Operating System Fingerprinting on Programmable Switches

Abstract

Operating system fingerprinting allows network administrators to identify which operating systems are running on end hosts within a network. This information is useful for detecting OS-related vulnerabilities within the network and for administering OSrelated security policies. Passive approaches to OS fingerprinting are better suited for these applications than active approaches: active probes can introduce additional load onto the network and can be blocked by network address translation (NAT) devices and firewalls. However, existing software tools for passive fingerprinting are still not sufficiently performant for network administration. This paper presents a passive OS fingerprinter that can run on programmable switch hardware, allowing for fingerprinting to be performed at line rate. The fingerprinter can also be used to enforce OS-dependent policies for reporting, blocking, or rate-limiting traffic directly in the data plane. Additionally, the tool is self-maintaining in that it is able to update its own OS fingerprinting rules over time. The tool is able to both learn new rules and verify existing rules by sending all unidentifiable packets and a small sample of identifiable packets to software for analysis.