Who fingerprints your network traffic?

Discussion in 'privacy general' started by Searching_ _ _, Apr 27, 2011.

Thread Status:
Not open for further replies.
  1. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Assuming that DNS requests are the primary method for identifying a user by fingerprinting their network traffic, who has access to the DNS requests to make this type of analysis?

    Can I get access to DNS metrics to see what sites are requested the most or the least?

    The OS calls out and will make requests that help to identify it.
    Browsers each call out to the internet in their own way when run. Firefox, for example, calls out for safebrowsing cache updates to Google. Add-ons can call out increasing the uniqueness to help identify a user.

    I assume the attackers limitations are related to the level of network information they have access to, for example, a local attacker, using Ettercap, already knows where you are, is that correct?

    You use Windows $even with Internet Explorer 9
    You use Windows Veesta with Opera
    You use Windows XP(lease don't crack me) with Firefox 3.x.x
    You use pUbuntu with Firefox 4.x.x with Noscript
    You use Fedora 21 with Monfox Browser
    You use OpenSUSE with Google Chrome version 99 a.k.a. "bottles o' beer" Beta

    Sure, each of these systems are unique when compared to each other, but what if they are all using the same browser? How much does the difficulty increase for an attacker in identifying a particular user if they all are using the same browser?

    You use Windows 7 with Firefox 4.x.x with Noscript
    You use Windows Vista with Firefox 4.x.x with Noscript
    You use Windows XP with Firefox 4.x.x with Noscript
    You use Ubuntu with Firefox 4.x.x with Noscript
    You use Fedora 12 with Firefox 4.x.x with Noscript
    You use OpenSUSE with Firefox 4.x.x with Noscript
     
  2. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    ISP routers usually have primary/secondary DNS server IP addresses denoted in tables which can be modified to OpenDNS server IP addresses.

    Why assume DNS requests are the primary method for identifying a user by fingerprinting their network traffic?

    -- Tom
     
  3. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    DNS is the first to call out from the host, so would be my first guess.
    I'm sure a fingerprint requires more than one point for ID though.

    If most in the targets area use their ISP's DNS servers and the target uses OpenDNS, passive sniffing will alert you to the active target, no?

    l0t3k blog has some pretty cool white papers linked to, though I couldn't access all of them.
     
  4. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    If a user retains the use of the ISP's DNS servers, then the ISP can log the DNS requests - if not, then not.

    Most ISP routers have an admin login account. If a user logins in, then they can change the default ISP DNS servers from the ISP's (primary, secondary) DNS servers to e.g. OpenDNS. Then the ISP will no longer be able to log the user's DNS requests.

    -- Tom
     
Loading...
Thread Status:
Not open for further replies.