Prevent fingerprinting ZMap by randomizing the IP ID

examples/probe-modules/module_tcp_cisco_backdoor.c

@@ -17,6 +17,7 @@
 
 #include "../../lib/includes.h"
 #include "../fieldset.h"
+#include "aesrand.h"
 #include "probe_modules.h"
 #include "packet.h"
 
@@ -64,7 +65,7 @@ static int synscan_init_perthread(void *buf, macaddr_t *src, macaddr_t *gw,
 
 static int synscan_make_packet(void *buf, UNUSED size_t *buf_len,
 			       ipaddr_n_t src_ip, ipaddr_n_t dst_ip, uint8_t ttl,
-			       uint32_t *validation, int probe_num,
+			       uint32_t *validation, int probe_num, aesrand_t *aes,
 			       UNUSED void *arg)
 {
 	struct ether_header *eth_header = (struct ether_header *)buf;
@@ -85,6 +86,8 @@ static int synscan_make_packet(void *buf, UNUSED size_t *buf_len,
 			 ip_header->ip_dst.s_addr, tcp_header);
 
 	ip_header->ip_sum = 0;
+	// set the IP id field to be a random value using the fast AES generator
+	ip_header->ip_id = (u_short)aesrand_getword(aes);
 	ip_header->ip_sum = zmap_ip_checksum((unsigned short *)ip_header);
 
 	return EXIT_SUCCESS;

src/probe_modules/module_bacnet.c

@@ -76,7 +76,8 @@ int bacnet_init_perthread(void *buf, macaddr_t *src, macaddr_t *gw, void **arg)
 
 int bacnet_make_packet(void *buf, size_t *buf_len, ipaddr_n_t src_ip,
 		       ipaddr_n_t dst_ip, port_n_t dport, uint8_t ttl,
-		       uint32_t *validation, int probe_num, UNUSED void *arg)
+		       uint32_t *validation, int probe_num, aesrand_t* aes,
+		       UNUSED void *arg)
 {
 	struct ether_header *eth_header = (struct ether_header *)buf;
 	struct ip *ip_header = (struct ip *)(&eth_header[1]);
@@ -87,6 +88,8 @@ int bacnet_make_packet(void *buf, size_t *buf_len, ipaddr_n_t src_ip,
 	ip_header->ip_dst.s_addr = dst_ip;
 	ip_header->ip_ttl = ttl;
 	ip_header->ip_sum = 0;
+	// set the IP id field to be a random value using the fast AES generator
+	ip_header->ip_id = (u_short)aesrand_getword(aes);
 
 	udp_header->uh_sport =
 	    htons(get_src_port(num_ports, probe_num, validation));

src/probe_modules/module_dns.c

@@ -776,7 +776,8 @@ int get_dns_question_index_by_probe_num(int probe_num) {
 
 int dns_make_packet(void *buf, size_t *buf_len, ipaddr_n_t src_ip,
 		    ipaddr_n_t dst_ip, port_n_t dport, uint8_t ttl,
-		    uint32_t *validation, int probe_num, UNUSED void *arg)
+		    uint32_t *validation, int probe_num,
+		    aesrand_t* aes, UNUSED void *arg)
 {
 	struct ether_header *eth_header = (struct ether_header *)buf;
 	struct ip *ip_header = (struct ip *)(&eth_header[1]);
@@ -808,6 +809,8 @@ int dns_make_packet(void *buf, size_t *buf_len, ipaddr_n_t src_ip,
 	ip_header->ip_src.s_addr = src_ip;
 	ip_header->ip_dst.s_addr = dst_ip;
 	ip_header->ip_ttl = ttl;
+	// set the IP id field to be a random value using the fast AES generator
+	ip_header->ip_id = (u_short)aesrand_getword(aes);
 	// Above we wanted to look up the dns question index (so we could send 2 probes for the same DNS query)
 	// Here we want the port to be unique regardless of if this is the 2nd probe to the same DNS query so using
 	// probe_num itself to set the unique UDP source port.

src/probe_modules/module_icmp_echo.c

@@ -163,7 +163,8 @@ static int icmp_echo_init_perthread(void *buf, macaddr_t *src, macaddr_t *gw,
 static int icmp_echo_make_packet(void *buf, size_t *buf_len, ipaddr_n_t src_ip,
 				 ipaddr_n_t dst_ip, UNUSED port_n_t dst_port,
 				 uint8_t ttl, uint32_t *validation,
-				 UNUSED int probe_num, UNUSED void *arg)
+				 UNUSED int probe_num, aesrand_t* aes,
+				 UNUSED void *arg)
 {
 	struct ether_header *eth_header = (struct ether_header *)buf;
 	struct ip *ip_header = (struct ip *)(&eth_header[1]);
@@ -187,6 +188,9 @@ static int icmp_echo_make_packet(void *buf, size_t *buf_len, ipaddr_n_t src_ip,
 	size_t ip_len = sizeof(struct ip) + ICMP_MINLEN + icmp_payload_len;
 	ip_header->ip_len = htons(ip_len);
 
+	// set the IP id field to be a random value using the fast AES generator
+	ip_header->ip_id = (u_short)aesrand_getword(aes);
+
 	ip_header->ip_sum = 0;
 	ip_header->ip_sum = zmap_ip_checksum((unsigned short *)ip_header);
 	*buf_len = ip_len + sizeof(struct ether_header);

src/probe_modules/module_icmp_echo_time.c

@@ -55,7 +55,8 @@ static int icmp_echo_init_perthread(void *buf, macaddr_t *src, macaddr_t *gw,
 static int icmp_echo_make_packet(void *buf, size_t *buf_len, ipaddr_n_t src_ip,
 				 ipaddr_n_t dst_ip, UNUSED port_n_t dport,
 				 uint8_t ttl, uint32_t *validation,
-				 UNUSED int probe_num, UNUSED void *arg)
+				 UNUSED int probe_num, aesrand_t* aes,
+				 UNUSED void *arg)
 {
 	struct ether_header *eth_header = (struct ether_header *)buf;
 	struct ip *ip_header = (struct ip *)(&eth_header[1]);
@@ -88,6 +89,9 @@ static int icmp_echo_make_packet(void *buf, size_t *buf_len, ipaddr_n_t src_ip,
 			sizeof(struct icmp_payload_for_rtt);
 	ip_header->ip_len = htons(ip_len);
 
+	// set the IP id field to be a random value using the fast AES generator
+	ip_header->ip_id = (u_short)aesrand_getword(aes);
+
 	ip_header->ip_sum = 0;
 	ip_header->ip_sum = zmap_ip_checksum((unsigned short *)ip_header);
 

src/probe_modules/module_tcp_synackscan.c

@@ -54,7 +54,7 @@ static int synackscan_make_packet(void *buf, UNUSED size_t *buf_len,
 				  ipaddr_n_t src_ip, ipaddr_n_t dst_ip,
 				  port_n_t dport, uint8_t ttl,
 				  uint32_t *validation, int probe_num,
-				  UNUSED void *arg)
+				  aesrand_t* aes, UNUSED void *arg)
 {
 	struct ether_header *eth_header = (struct ether_header *)buf;
 	struct ip *ip_header = (struct ip *)(&eth_header[1]);
@@ -66,6 +66,8 @@ static int synackscan_make_packet(void *buf, UNUSED size_t *buf_len,
 	ip_header->ip_src.s_addr = src_ip;
 	ip_header->ip_dst.s_addr = dst_ip;
 	ip_header->ip_ttl = ttl;
+	// set the IP id field to be a random value using the fast AES generator
+	ip_header->ip_id = (u_short)aesrand_getword(aes);
 
 	tcp_header->th_sport =
 	    htons(get_src_port(num_ports, probe_num, validation));

src/probe_modules/module_tcp_synscan.c

@@ -53,7 +53,7 @@ static int synscan_init_perthread(void *buf, macaddr_t *src, macaddr_t *gw,
 static int synscan_make_packet(void *buf, size_t *buf_len, ipaddr_n_t src_ip,
 			       ipaddr_n_t dst_ip, port_n_t dport, uint8_t ttl,
 			       uint32_t *validation, int probe_num,
-			       UNUSED void *arg)
+			       aesrand_t* aes, UNUSED void *arg)
 {
 	struct ether_header *eth_header = (struct ether_header *)buf;
 	struct ip *ip_header = (struct ip *)(&eth_header[1]);
@@ -73,6 +73,10 @@ static int synscan_make_packet(void *buf, size_t *buf_len, ipaddr_n_t src_ip,
 	tcp_header->th_sum = tcp_checksum(ZMAP_TCP_SYNSCAN_TCP_HEADER_LEN,
 					  ip_header->ip_src.s_addr,
 					  ip_header->ip_dst.s_addr, tcp_header);
+
+	// set the IP id field to be a random value using the fast AES generator
+	ip_header->ip_id = (u_short)aesrand_getword(aes);
+
 	// checksum value must be zero when calculating packet's checksum
 	ip_header->ip_sum = 0;
 	ip_header->ip_sum = zmap_ip_checksum((unsigned short *)ip_header);

src/probe_modules/module_tcp_synscan.h

@@ -27,7 +27,7 @@ int synscan_init_perthread(void *buf, macaddr_t *src, macaddr_t *gw,
 
 int synscan_make_packet(void *buf, ipaddr_n_t src_ip, ipaddr_n_t dst_ip,
 			uint8_t ttl, uint32_t *validation, int probe_num,
-			UNUSED void *arg);
+			aesrand_t* aes, UNUSED void *arg);
 
 void synscan_print_packet(FILE *fp, void *packet);
 

src/probe_modules/module_udp.c

@@ -270,7 +270,8 @@ int udp_init_perthread(void *buf, macaddr_t *src, macaddr_t *gw, void **arg_ptr)
 
 int udp_make_packet(void *buf, size_t *buf_len, ipaddr_n_t src_ip,
 		    ipaddr_n_t dst_ip, port_n_t dport, uint8_t ttl,
-		    uint32_t *validation, int probe_num, UNUSED void *arg)
+		    uint32_t *validation, int probe_num, aesrand_t* aes,
+		    UNUSED void *arg)
 {
 	struct ether_header *eth_header = (struct ether_header *)buf;
 	struct ip *ip_header = (struct ip *)(&eth_header[1]);
@@ -285,6 +286,9 @@ int udp_make_packet(void *buf, size_t *buf_len, ipaddr_n_t src_ip,
 	    htons(get_src_port(num_ports, probe_num, validation));
 	udp_header->uh_dport = dport;
 
+	// set the IP id field to be a random value using the fast AES generator
+	ip_header->ip_id = (u_short)aesrand_getword(aes);
+
 	ip_header->ip_sum = 0;
 	ip_header->ip_sum = zmap_ip_checksum((unsigned short *)ip_header);
 

src/probe_modules/module_udp.h

@@ -64,7 +64,8 @@ void udp_print_packet(FILE *fp, void *packet);
 
 int udp_make_packet(void *buf, size_t *buf_len, ipaddr_n_t src_ip,
 		    ipaddr_n_t dst_ip, port_n_t dport, uint8_t ttl,
-		    uint32_t *validation, int probe_num, void *arg);
+		    uint32_t *validation, int probe_num, aesrand_t* aes,
+		    void *arg);
 int udp_make_templated_packet(void *buf, size_t *buf_len, ipaddr_n_t src_ip,
 			      ipaddr_n_t dst_ip, port_n_t dport, uint8_t ttl,
 			      uint32_t *validation, int probe_num, void *arg);

src/probe_modules/probe_modules.h

@@ -52,7 +52,7 @@ typedef int (*probe_make_packet_cb)(void *packetbuf, size_t *buf_len,
 				    ipaddr_n_t src_ip, ipaddr_n_t dst_ip,
 				    port_n_t dst_port, uint8_t ttl,
 				    uint32_t *validation, int probe_num,
-				    void *arg);
+				    aesrand_t* aes, void *arg);
 
 typedef void (*probe_print_packet_cb)(FILE *, void *packetbuf);
 

src/send.c

@@ -228,6 +228,7 @@ int send_run(sock_t st, shard_t *s)
 		zconf.probe_module->thread_initialize(
 		    buf, zconf.hw_mac, zconf.gw_mac, &probe_data);
 	}
+	aesrand_t* aes_rand_gen = aesrand_init_from_seed(random());
 	pthread_mutex_unlock(&send_mutex);
 
 	// adaptive timing to hit target rate
@@ -376,7 +377,7 @@ int send_run(sock_t st, shard_t *s)
 			zconf.probe_module->make_packet(
 			    buf, &length, src_ip, current_ip,
 			    htons(current_port), ttl, validation, i,
-			    probe_data);
+			    aes_rand_gen, probe_data);
 			if (length > MAX_PACKET_SIZE) {
 				log_fatal(
 				    "send",