Who fingerprints your network traffic?

[Searching_ _ _]

Assuming that DNS requests are the primary method for identifying a user by fingerprinting their network traffic, who has access to the DNS requests to make this type of analysis?

Can I get access to DNS metrics to see what sites are requested the most or the least?

The OS calls out and will make requests that help to identify it.
Browsers each call out to the internet in their own way when run. Firefox, for example, calls out for safebrowsing cache updates to Google. Add-ons can call out increasing the uniqueness to help identify a user.

I assume the attackers limitations are related to the level of network information they have access to, for example, a local attacker, using Ettercap, already knows where you are, is that correct?

You use Windows $even with Internet Explorer 9
You use Windows Veesta with Opera
You use Windows XP(lease don't crack me) with Firefox 3.x.x
You use pUbuntu with Firefox 4.x.x with Noscript
You use Fedora 21 with Monfox Browser
You use OpenSUSE with Google Chrome version 99 a.k.a. "bottles o' beer" Beta

Sure, each of these systems are unique when compared to each other, but what if they are all using the same browser? How much does the difficulty increase for an attacker in identifying a particular user if they all are using the same browser?

You use Windows 7 with Firefox 4.x.x with Noscript
You use Windows Vista with Firefox 4.x.x with Noscript
You use Windows XP with Firefox 4.x.x with Noscript
You use Ubuntu with Firefox 4.x.x with Noscript
You use Fedora 12 with Firefox 4.x.x with Noscript
You use OpenSUSE with Firefox 4.x.x with Noscript

[lotuseclat79]

ISP routers usually have primary/secondary DNS server IP addresses denoted in tables which can be modified to OpenDNS server IP addresses.

Why assume DNS requests are the primary method for identifying a user by fingerprinting their network traffic?

-- Tom

[Searching_ _ _]

Quote:

Originally Posted by lotuseclat79

Why assume DNS requests are the primary method for identifying a user by fingerprinting their network traffic?

DNS is the first to call out from the host, so would be my first guess.
I'm sure a fingerprint requires more than one point for ID though.

If most in the targets area use their ISP's DNS servers and the target uses OpenDNS, passive sniffing will alert you to the active target, no?

l0t3k blog has some pretty cool white papers linked to, though I couldn't access all of them.

[lotuseclat79]

If a user retains the use of the ISP's DNS servers, then the ISP can log the DNS requests - if not, then not.

Most ISP routers have an admin login account. If a user logins in, then they can change the default ISP DNS servers from the ISP's (primary, secondary) DNS servers to e.g. OpenDNS. Then the ISP will no longer be able to log the user's DNS requests.

-- Tom