From owner-freebsd-net@freebsd.org Thu Mar 22 02:51:07 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8D532F5F658 for ; Thu, 22 Mar 2018 02:51:07 +0000 (UTC) (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E8A5D7859A for ; Thu, 22 Mar 2018 02:51:06 +0000 (UTC) (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (localhost [127.0.0.1]) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3) with ESMTP id w2M2owxl024293; Wed, 21 Mar 2018 19:50:58 -0700 (PDT) (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net) Received: (from freebsd-rwg@localhost) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3/Submit) id w2M2owMf024292; Wed, 21 Mar 2018 19:50:58 -0700 (PDT) (envelope-from freebsd-rwg) From: "Rodney W. Grimes" Message-Id: <201803220250.w2M2owMf024292@pdx.rh.CN85.dnsmgr.net> Subject: Re: Same host or different? How can you tell "over the wire"? In-Reply-To: <5843.1521677516@segfault.tristatelogic.com> To: "Ronald F. Guilmette" Date: Wed, 21 Mar 2018 19:50:58 -0700 (PDT) CC: FreeBSD Net X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2018 02:51:07 -0000 > > In message <201803212204.w2LM4G8h023320@pdx.rh.CN85.dnsmgr.net>, > "Rodney W. Grimes" wrote: > > >One thing you could look at is the OS finger printing of nmap, > >that could look for possible things to diffentiate the hosts. > > Yea, that idea occurred to me. But this solution has the same problem > that I just mentioned in another one of my replies in this thread: > Even if nmap says that two IP addresses have the exact same OS > signature, that is far from enough to assert that they are both > under the control of the exact same Bad Actor. You are not going to prove the "control of the exact same Bad Actor" without a warrant to search and seize. You might prove they are 2 different boxes if the nmap finger print shows a difference, but if they show identical you have proved nothing. > You certainly wouldn't want to send someone to prison, or even to > after-school detention, based on such limited circumstantial evidence. > > >Depending on just what the host is there could be other tale > >tale signs picked up from "forensic" type of data captured > >with tcpdump while playing known packet sequences against > >each host at identical time. > > Such as? > > I'm all ears. At this point I have to state I am not going to do your research work for free. I have given you plenty of free leads to persue. > >What you ask I believe could be done, but it non trivial and > >would require a very good understanding of both forensics > >and the differing ways that TCP/IP is implemented. > > I like to think that I am a quick learner. Please proceed with the > lesson. The rates for lessons in Forensics start at reasonable enough amounts, you can contact me off list if you wish to persue that. ... rest deleted ... -- Rod Grimes rgrimes@freebsd.org