Passive OS Fingerprinting on Commodity Switches

Report ID: TR-010-19

---

Author: Rexford, Jennifer / Bai, Sherry / Kim, Hyojoon

---

Date: 2019-09-27

---

Pages: 13

---

Download Formats: |PDF|

---

Abstract:

OS fingerprinting allows network administrators to identify which operating systems are running on the hosts communicating over their network. This information is useful for detecting vulnerabilities and for administering OS-related security policies that block, rate-limit, or redirect traffic. Passive fingerprinting has distinct advantages over active approaches: passive fingerprinting does not generate active probes that not only introduce additional network load but could also trigger alarms and get blocked by network address translators and firewalls. However, existing software-based passive fingerprinting tools cannot keep up with the traffic in high-speed networks. This paper presents P40f, a tool that runs on programmable switch hardware to perform OS fingerprinting and apply security policies at line rate. P40f is also self-learning; P40f collects information about traffic that cannot be fingerprinted so that new fingerprints can be learned in the future. We present our prototype implemented with P4 language along with experiments we ran against packet traces from a campus network.