Home page logo

bugtraq logo Bugtraq mailing list archives

[Corrected Post] - The DF Bit Playground (Identifying Sun Solaris)
From: Ofir Arkin <ofir () ITCON-LTD COM>
Date: Wed, 13 Sep 2000 09:12:30 -0000

RFC 791 defines a three bits field used for various control flags in the IP

Bit 0 is the reserved flag, and must be zero.

Bit 1, is called the Don’t Fragment flag, and can have two values. A value
of zero
(not set) is equivalent to May Fragment, and a value of one is equivalent to
Fragment. If this flag is set than the fragmentation of this packet at the
IP level
is not permitted, otherwise it is.

Bit 2, is called the More Fragments bit. It can have two values. A value of
zero is
equivalent to (this is the) Last Fragment, and a value of 1 is equivalent to
Fragments (are coming).

The next field in the IP header is the Fragment Offset field, which
identifies the
fragment location relative to the beginning of the original un-fragmented
(RFC 791, bottom of page 23).

A close examination of the ICMP Query replies would reveal that some
operating systems
would set the DF bit with their replies.

The tcpdump trace below illustrates the reply a Sun Solaris 2.7 box produced
for an
ICMP Echo Request.

17:10:19.538020 if 4  > > x.x.x.x : icmp: echo request (ttl
255, id 13170)
                         4500 0024 3372 0000 ff01 9602 c348 a7dc
                         xxxx xxxx 0800 54a4 8d04 0000 cbe7 bc39
                         8635 0800
17:10:19.905254 if 4  < x.x.x.x > icmp: echo reply (DF) (ttl
233, id 24941)
                         4500 0024 616d 4000 e901 3e07 xxxx xxxx
                         c348 a7dc 0000 5ca4 8d04 0000 cbe7 bc39
                         8635 0800

In the recent SING CVS (12 September 2000), written by Alfredo Andres
Omella, which is
available from http://sourceforge.net/projects/sing, the option for
detecting if the DF
bit is set on an ICMP Query reply was added, after being request by me. The
is the same ICMP Echo request & reply, this time it is presented by SING:

[root () godfather bin]# ./sing -echo Host_Address
SINGing to www.openbsd.org (IP_Address): 16 data bytes
16 bytes from IP_Address: icmp_seq=0 DF! ttl=233 TOS=0 time=367.314 ms
16 bytes from IP_Address: icmp_seq=1 DF! ttl=233 TOS=0 time=320.020 ms
16 bytes from IP_Address: icmp_seq=2 DF! ttl=233 TOS=0 time=370.037 ms
16 bytes from IP_Address: icmp_seq=3 DF! ttl=233 TOS=0 time=330.025 ms

--- Host_Address sing statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 320.020/346.849/370.037 ms

Since www.openbsd.org uses a Sun Solaris operating system, it matches our

ICMP Query replies for an operating system maintains the same behavioral
Either they set the DF bit on all ICMP query reply types or they do not.

The following operating systems where queries and checked for this kind of
Linux Kernel 2.4 test 2,4,5,6; Linux Kernel 2.2.x; FreeBSD 4.0, 3.4; OpenBSD
NetBSD 1.4.1,1.4.2; BSDI BSD/OS 4.0,3.1; Solaris 2.6,2.7,2.8; HP-UX 10.20,
Compaq Tru64 5.0; Aix 4.1,3.2; Irix 6.5.3, 6.5.8; Ultrix 4.2 – 4.5; OpenVMS
Novel Netware 5.1 SP1, 5.0, 3.12; Microsoft Windows 98/98SE/ME, Microsoft
Windows NT
WRKS SP6a, Microsoft Windows NT Server SP4, Microsoft Windows 2000 Family.

Only one operating system sets the DF bit on its ICMP Query replies – Sun
It distinguishes Sun Solaris from the other group of operating systems very

This is a simple operating system fingerprinting method, which does not
additional or unusual patterns to be set.


Ofir Arkin  [ofir () itcon-ltd com]
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.

Personal Web page: http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."

  By Date           By Thread  

Current thread:
  • [Corrected Post] - The DF Bit Playground (Identifying Sun Solaris) Ofir Arkin (Sep 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]