Same host or different? How can you tell "over the wire"?
Rodney W. Grimes
freebsd-rwg at pdx.rh.CN85.dnsmgr.net
Wed Mar 21 22:04:21 UTC 2018
>
> This problem has been preplexing me for ages and ages. I looked at it
> again, just briefly, and re-read parts of some potentially relevant
> RFCs, just the other day, but frankly, I'm just too ignorant and/or
> too stupid to be able to think up a solution, so I'll just drop the
> problem description here and see if any of you more knowledgable
> people can devise or suggest a solution.
>
> The Problem:
>
> Suppose that there exist two IPv4 addresses, A and A'. Both addresses
> have the exact same set of ports open, and both respond in identical
> ways, at least at the application level, when sent identical inputs.
> In short, at the application layer level, at least, there appears to
> be no way to reliably differentiate between the case where the two
> IP addresses are being routed to a single common physical machine
> (or to a single common virtual OS instance) or to two separate physical
> machines (or two separate virtual OS instances).
>
> Is there any method which can be applied to A and A' over the
> Internet and which could reliably differentiate these two possible
> cases from one another (i.e. a single common host versus two separate
> hosts)?
>
> If any such method or mechanism exists, I would very much like to know
> all of the details thereof. Such a method, if one exists, would
> certainly have value in various types of forensic investigations.
>
>
> Regards,
> rfg
>
>
> P.S. It is my assumption that the kind of thing I'm looking for, if
> it exists at all, will be found somewhere below the application layer.
> I do not rule out however that there may be some way of differentiating
> the two cases described above by looking at application layer responses
> for some certain common applications. As far as I know however, it is
> not possible to make the desired differentiation on the basis of
> application layer responses for most typical network applications,
> e.g. various makes and model numbers of servers for HTTP, HTTPS,
> SMTP, SSH, DNS, etc. Of course, if I have simply missed something,
> and if there is in fact a way to differentiate the two cases on the
> basis of responses sent for any of these application protocols, then
> I sure would like to know about that too.
One thing you could look at is the OS finger printing of nmap,
that could look for possible things to diffentiate the hosts.
Depending on just what the host is there could be other tale
tale signs picked up from "forensic" type of data captured
with tcpdump while playing known packet sequences against
each host at identical time.
What you ask I believe could be done, but it non trivial and
would require a very good understanding of both forensics
and the differing ways that TCP/IP is implemented.
One simple thing is a record route of a packet, it might show
that the hosts are clearly at differing paths.
If the hosts are very different a ssh connect could
lead to an answer as it may give a differing answer string:
telnet freefall.freebsd.org 22
Trying 2610:1c1:1:6074::16:84...
Trying 96.47.72.132...
Connected to freefall.freebsd.org.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.5 FreeBSD-20170804
telnet localhost 22
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.2 FreeBSD-20161230
Clearly these are 2 different machines....
It would also be possible to implemented controlled DOS techniques
to cause "measureable" load on one IP, and then see if the other
IP has a similiar measureable load factor. This does not work
well if the DOS technique causes a commond mode issue, but that
just fails in the "can not tell" mode.
--
Rod Grimes rgrimes at freebsd.org
More information about the freebsd-net
mailing list