COMMAND
kernel
SYSTEMS AFFECTED
Win2000, Ultrix, ....
PROBLEM
Ofir Arkin found following. Each IP Datagram has an 8-bit field
called the "TOS Byte", which represents the IP support for
prioritization and Type-of-Service handling.
The "TOS Byte" consists of three fields.
The "Precedence field", which is 3-bit long, is intended to
prioritize the IP Datagram. It has eight levels of prioritization.
Higher priority traffic should be sent before lower priority
traffic.
The second field, 4 bits long, is the "Type-of-Service" field. It
is intended to describe how the network should make tradeoffs
between throughput, delay, reliability, and cost in routing an IP
Datagram.
The last field, the "MBZ" (must be zero), is unused and must be
zero. Routers and hosts ignore this last field. This field is 1
bit long.
RFC 1349 states that the last field of the TOS byte, the "MBZ"
(must be zero), is unused and must be zero. The RFC also states
that routers and hosts ignore the value of this bit.
This is the only statement about the unused bit in the TOS Byte
in the RFCs. The RFC states: "The originator of a datagram sets
this field to Zero".
Obviously it was meant that this field would be always zero. But
what will happen if we would set this bit with our ICMP Echo
Requests? Will this bit be zero out on reply or will it be
echoed back?
The Method
==========
Only with ICMP Echo requests we can have a clear identification of
OSs. The next example is an ICMP Echo Request sent with the TOS
bit in the TOS Byte set, targeting a FreeBSD 4.1.1 machine:
[root@godfather /root]# /usr/local/bin/sing -c 2 -TOS 1 y.y.y.y
SINGing to y.y.y.y (y.y.y.y): 16 data bytes
16 bytes from y.y.y.y: seq=0 ttl=233 TOS=1 time=330.461 ms
16 bytes from y.y.y.y: seq=1 ttl=233 TOS=1 time=723.300 ms
--- y.y.y.y sing statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 330.461/526.880/723.300 ms
[root@godfather /root]#
Echoing back the Unused bit in the TOS Byte represents the
behavior of most of the operating systems checked this method
against.
Which operating systems are the exceptions? The next example is
with Microsoft Windows 2000 Pro as the targeted machine:
[root@godfather precedence_echo]# /usr/local/bin/sing -c 2 -TOS 1 y.y.y.y
SINGing to y.y.y.y (y.y.y.y): 16 data bytes
16 bytes from y.y.y.y: seq=0 ttl=111 TOS=0 time=299.188 ms
16 bytes from y.y.y.y: seq=1 ttl=111 TOS=0 time=280.321 ms
--- y.y.y.y sing statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 280.321/289.755/299.188 ms
[root@godfather precedence_echo]#
The tcpdump trace:
00:17:01.765492 ppp0 > x.x.x.x > y.y.y.y: icmp: echo request [tos 0x1] (ttl 255, id 13170)
4501 0024 3372 0000 ff01 d82b xxxx xxxx
yyyy yyyy 0800 f015 7a3c 0000 5dc5 0d3a
17ae 0b00
00:17:02.064284 ppp0 < y.y.y.y > x.x.x.x: icmp: echo reply (ttl 111, id 29961)
4500 0024 7509 0000 6f01 2696 yyyy yyyy
xxxx xxxx 0000 f815 7a3c 0000 5dc5 0d3a
17ae 0b00
Another OS that behaves the same is ULTRIX:
[root@godfather precedence_echo]# /usr/local/bin/sing -c 2 -TOS 1 y.y.y.y
SINGing to y.y.y.y (y.y.y.y): 16 data bytes
16 bytes from y.y.y.y: seq=0 ttl=237 TOS=0 time=371.776 ms
--- y.y.y.y sing statistics ---
2 packets transmitted, 1 packets received, 50% packet loss
round-trip min/avg/max = 371.776/371.776/371.776 ms
[root@godfather precedence_echo]#
We will use, again, the IP TTL field value to differentiate
between the two operating systems.
Changed Pattern with Replies for Different ICMP Query Types
===========================================================
We have a changed pattern with Microsoft Windows 98/98SE/ME when
using other ICMP Query message types other than ICMP Echo Request.
Instead of echoing this field back, they will zero out this field
with their replies.
Further distinction between the Microsoft operating systems can
be achieved if we will query them with ICMP Address Mask request,
which only Microsoft Windows 98/98SE will answer for. The
Microsoft Windows ME will not reply, enabling us to identify it.
Operating systems verified against: LINUX based on Kernel 2.2.x &
2.4Tx; FreeBSD 4.0, 4.1.1; NetBSD; OpenBSD; Sun Solaris
2.6,2.7,2.8; HPUX 11.0; AIX 4.3,4.2.1,4.1,3.2; ULTRIX 4.2-4.5;
OpenVMS 7.1-2; Compaq Tru64 v5.6; DGUX v5.6; Microsoft Windows
98,98SE,ME, NT4SP6a Server, 2000 Pro, 2000 Server, 2000 Advanced
Server.
SOLUTION
Nothing yet.