Many security attacks on networked computers are based on specific known vulnerabilities and defects of a particular operating system. There are currently a very large number of vulnerabilities, and this number grows daily. The general goal of an attacker in using these vulnerabilities is to compromise the computer system that is executing the operating system, thus enabling the attacker to destroy, steal, modify data, or use the compromised system resources for misdeeds against others.
However, the vulnerabilities of one operating system cannot be used to attack a different operating system. For example, using an attack scheme specific to the Solaris® operating system from Sun Microsystems would not provide the attacker with the desired results if launched against computer running a Windows® operating system from Microsoft. It is also common for an attacker to search for systems with specific operating systems because it increases the efficiency of the attack. This is analogous to “War Dialing” that uses a modem to dial ranges of phone numbers to find systems connected by phone line. Once an attacker has a list of “known systems,” such as “all systems running Windows Millenium,” the attacker can initiate specific attacks on those systems. Therefore, an attacker often eliminates attacks that would be pointless by first probing the targeted computer using techniques commonly referred to as “OS (operating system) fingerprinting.”
OS fingerprinting relies on characteristic responses to certain messages to identify an operating system. For example, operating systems that support communications over a TCP/IP (Transmission Control Protocol/Internet Protocol) network each implement the TCP/IP stack differently. Thus, to identify the operating system for a computer on a TCP/IP network, an attacker could send certain types of TCP/IP packets to the targeted computer and then compare the responses received against the responses expected from various operating systems. One particularly powerful OS fingerprinting technique for TCP/IP networks relies on the Internet Control Message Protocol (ICMP), which is used to report errors in the processing of received packets. Ofir Arkin, ICMP Usage in Scanning, July 2000, available at the World Wide Web site for Sys-Security Group.
Inspecting all incoming packets to determine if a probe of the operating system identity is underway is impractical because of the number of different OS fingerprinting techniques and the difficulty of distinguishing legitimate network traffic from what is not. Instead, the prior art solutions to the problem focus on the outgoing packets. Arkin suggests blocking all outgoing ICMP packets. However, doing so prevents legitimate error messages from being communicated. Another proposed solution is to dynamically change the TCP/IP stack to emulate the TCP/IP stack of another operating system when processing outgoing packets. This approach is complex to implement and maintain, particularly for individual users or smaller organizations that do not have a dedicated computer support staff.