Date: Wed, 21 Mar 2018 23:51:39 +0100 From: Eduardo Morras <emorrasg@yahoo.es> To: freebsd-net@freebsd.org Subject: Re: Same host or different? How can you tell "over the wire"? Message-ID: <20180321235139.1d96e600e76b455703f43f48@yahoo.es> In-Reply-To: <4903.1521667183@segfault.tristatelogic.com> References: <4903.1521667183@segfault.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 21 Mar 2018 14:19:43 -0700 "Ronald F. Guilmette" <rfg@tristatelogic.com> wrote: > > This problem has been preplexing me for ages and ages. I looked at it > again, just briefly, and re-read parts of some potentially relevant > RFCs, just the other day, but frankly, I'm just too ignorant and/or > too stupid to be able to think up a solution, so I'll just drop the > problem description here and see if any of you more knowledgable > people can devise or suggest a solution. > > The Problem: > > Suppose that there exist two IPv4 addresses, A and A'. Both addresses > have the exact same set of ports open, and both respond in identical > ways, at least at the application level, when sent identical inputs. > In short, at the application layer level, at least, there appears to > be no way to reliably differentiate between the case where the two > IP addresses are being routed to a single common physical machine > (or to a single common virtual OS instance) or to two separate > physical machines (or two separate virtual OS instances). > > Is there any method which can be applied to A and A' over the > Internet and which could reliably differentiate these two possible > cases from one another (i.e. a single common host versus two separate > hosts)? > > If any such method or mechanism exists, I would very much like to know > all of the details thereof. Such a method, if one exists, would > certainly have value in various types of forensic investigations. > Perhaps I don't understand the question but: A ping should measure the "distance" to A and A', traceroute works too. If you disable protections (firewalls, ids, etc) you could inject tcp packets with fake ips. Or make a dDoS to one, the other should stay alive. If you go to layer 2 there are mac differences. Take the whois info from both, it will be the same, but you can ask the owner to switch off one of them. If SNMP is enabled and accesible it must show some differences (ethernet mac) > Regards, > rfg > > > P.S. It is my assumption that the kind of thing I'm looking for, if > it exists at all, will be found somewhere below the application layer. > I do not rule out however that there may be some way of > differentiating the two cases described above by looking at > application layer responses for some certain common applications. As > far as I know however, it is not possible to make the desired > differentiation on the basis of application layer responses for most > typical network applications, e.g. various makes and model numbers of > servers for HTTP, HTTPS, SMTP, SSH, DNS, etc. Of course, if I have > simply missed something, and if there is in fact a way to > differentiate the two cases on the basis of responses sent for any of > these application protocols, then I sure would like to know about > that too. _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" --- --- Eduardo Morras <emorrasg@yahoo.es>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180321235139.1d96e600e76b455703f43f48>