Host fingerprinting

The technique of OS fingerprinting has been well documented. It lets you identify the operating system used by a remote host with a fair degree of certainty. Indeed, OpenBSD even supports this in its filter engine; for example, you can write a rule that assigns mail traffic from Windows machines to a lower-priority bandwidth queue than that from other machines (since such traffic is usually the result of a virus).

However, researcher Tadayoshi Kohno has come up with a much more sophisticated approach, based on measuring clock skew across TCP packets. The idea is that every machine has a slightly different skew to their internal clock, and almost all TCP stacks timestamp packets using their internal clock as a reference point. By identifying the clock skew used for a particular PC, e.g. a laptop, you can track that machine’s movement as it moves around the Internet, perhaps connecting from several different countries or via different dial-up nodes.

All very ingenious, and with no end of big brother implications. Read more in this article at ZDNet Australia, or for the full technical details, check out his original research paper.