TY - GEN
T1 - Passive OS Fingerprinting on Commodity Switches
AU - Bai, Sherry
AU - Kim, Hyojoon
AU - Rexford, Jennifer
N1 - Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - Operating System (OS) fingerprinting allows network administrators to identify which operating systems are running on the hosts communicating over their network. This information is useful for detecting OS-specific vulnerabilities and for administering OS-related security policies that block, rate-limit, or redirect traffic. Passive fingerprinting can identify hosts' OS types without active probes that introduce additional network load. However, existing software-based passive fingerprinting tools cannot keep up with the traffic in high-speed networks. This paper presents P40f, a tool that runs on programmable switch hardware to perform OS fingerprinting and apply security policies at line rate. Unlike p0f, P40f can fingerprint devices' OS types and react to it (e.g., drop, rate-limit) in real time directly in the switch, without requiring any control-plane messages. P40f is a P4 implementation of an existing software tool, p0f. We present our prototype implemented with the P4 language, which compiles and runs on the Intel Tofino switch. We present experiments against packet traces from a real campus network, and make our code publicly available.
AB - Operating System (OS) fingerprinting allows network administrators to identify which operating systems are running on the hosts communicating over their network. This information is useful for detecting OS-specific vulnerabilities and for administering OS-related security policies that block, rate-limit, or redirect traffic. Passive fingerprinting can identify hosts' OS types without active probes that introduce additional network load. However, existing software-based passive fingerprinting tools cannot keep up with the traffic in high-speed networks. This paper presents P40f, a tool that runs on programmable switch hardware to perform OS fingerprinting and apply security policies at line rate. Unlike p0f, P40f can fingerprint devices' OS types and react to it (e.g., drop, rate-limit) in real time directly in the switch, without requiring any control-plane messages. P40f is a P4 implementation of an existing software tool, p0f. We present our prototype implemented with the P4 language, which compiles and runs on the Intel Tofino switch. We present experiments against packet traces from a real campus network, and make our code publicly available.
UR - http://www.scopus.com/inward/record.url?scp=85136828559&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85136828559&partnerID=8YFLogxK
U2 - 10.1109/NetSoft54395.2022.9844109
DO - 10.1109/NetSoft54395.2022.9844109
M3 - Conference contribution
AN - SCOPUS:85136828559
T3 - Proceedings of the 2022 IEEE International Conference on Network Softwarization: Network Softwarization Coming of Age: New Challenges and Opportunities, NetSoft 2022
SP - 264
EP - 268
BT - Proceedings of the 2022 IEEE International Conference on Network Softwarization
A2 - Clemm, Alexander
A2 - Maier, Guido
A2 - Machuca, Carmen Mas
A2 - Ramakrishnan, K.K.
A2 - Risso, Fulvio
A2 - Chemouil, Prosper
A2 - Limam, Noura
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 8th IEEE International Conference on Network Softwarization, NetSoft 2022
Y2 - 27 June 2022 through 1 July 2022
ER -