Re: Remote Cisco Identification

[br () DEEPTHOUGHT EE SIUE EDU (Basement Research)]

There are other ways in which Cisco routers can be identified
reliably; sometimes down to the minor release number.  We found
some of these while gathering information for a paper on
remote identification, which will be published at the NordU/USENIX 99
conference in February.

Briefly, some of these distinctive characteristics include:


- All versions from 10.3 through 11.3 respond to a SYN on an open port
with a SYN/ACK with an IP ID field of 0.
- Versions from 10.3 through 11.2 respond on closed and open ports to
packets not containing ACK, SYN or RST with a RST which contains an
incorrect ACK number.  On 10.3 and 11.0, we've seen ACK numbers which are
either 16 higher or 4 lower than the sequence number sent to the Cisco.  On
11.1, we've seen  numbers 16 higher than they should be, and on 11.2,
the numbers have been 24 lower than expected.  The responses do not
seem extremely consistent.
- versions from 10.3 through 11.1, and possibly others, will continue
to resend their SYN/ACK in response to an open-port SYN, even after receiving
a valid RST from the machine sending the SYN.  Usually, a total of
4 SYN/ACKs are sent by the router.
- Since sessions to routers are few and far between, most window sizes
returned by Cisco equal the default size used by the IOS.  On 10.3
through 11.1, the window wize is 2144.  On 11.2, it is 4288.  IOS
only returns a non-zero window size when making the transition from the
TCP listen state to the SYN_RECVD state.

-speck
Basement Research