What can the ISP see?

JollyCloudyCheergoose · Jun 26, 2022, 3:24 AM

I have pfSense installed with OpenVPN on a router. Assuming I’m using a random MAC address, what can the ISP know or uniquely identify about me?

A) Can the ISP know the brand or model of my router?
B) Can the ISP tell I’m using pfSense or is it just “a firewall”?

JKnott · Jul 1, 2022, 1:44 PM

@jollycloudycheergoose

a) Why worry about it? I have Intel NICs, but I suspect I'm not alone in doing so.

b) Just about everything has it's own signature in some way. Again, why worry. If they see pfSense, they know you have a better firewall than many.

AndyRH · Jun 26, 2022, 1:39 PM

If OpenVPN terminates at a VPN provider the ISP will know which VPN provider you use.
The ISP can see your traffic patterns.
Anyone on the internet can scan your IP and attempt to determine the firewall type.
Your VPN provider and/or ISP can see everywhere you go on the internet.

JollyCloudyCheergoose · Jun 26, 2022, 11:32 PM

@andyrh
How can someone scan the IP and determine the firewall type?

Forget about the VPN knowing or the VPN seeing traffic. Can the ISP tell the exact model of the router?

JKnott · Jun 26, 2022, 11:42 PM

@jollycloudycheergoose

How can someone scan the IP and determine the firewall type?

nmap -O 172.16.0.1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-26 19:39 EDT
Nmap scan report for 172.16.0.1
Host is up (0.00022s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
3551/tcp open apcupsd
MAC Address: 40:62:31:12:B6:6C (Gifa)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): FreeBSD 11.X (86%)
OS CPE: cpe:/o:freebsd:freebsd:11.2
Aggressive OS guesses: FreeBSD 11.2-RELEASE (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.41 seconds

bmeeks · Jun 27, 2022, 2:48 AM

@jollycloudycheergoose said in What can the ISP see?:

@andyrh
How can someone scan the IP and determine the firewall type?

Forget about the VPN knowing or the VPN seeing traffic. Can the ISP tell the exact model of the router?

Model number -- not likely. But operating system -- probably. And it's the operating system that really matters when looking for a vulnerability to exploit.

Google the term "OS fingerprinting" to get an idea of how this work across various operating systems. It's not an exact science, but it can many times get an attacker part of the way there. Notice in @JKnott's example nmap identified the pfSense operating system as "FreeBSD". It did get the version wrong as current pfSense is built from FreeBSD-12.3 STABLE and not 11.2-RELEASE. But just knowing the OS is FreeBSD 11.x plus is still valuable to an attacker. He can then search for exploits targeted at that OS family.

stephenw10 · Jun 27, 2022, 10:50 AM

Also it looks like @JKnott was scanning from the inside. I wouldn't expect those ports to be open from the WAN and there would be less data there to guess with.

Steve

JKnott · Jun 27, 2022, 10:56 AM

@stephenw10

Correct. All that's open to the outside world is OpenVPN. However, it still showed what might be available with a bit of scanning.

bmeeks · Jun 27, 2022, 3:11 PM

Yeah, I should have clarified my earlier post a bit.

OS fingerprinting of a firewall depends on having some open ports. Most home firewalls will not have any unless the admin has purposefully created some port forwards. But corporate firewalls frequently have several ports open to inbound traffic, so OS fingerprinting is possibly more useful there. But the firewall vendors also have some tricks up their sleeves to confuse OS fingerprinting scanners, so it is a continual cat and mouse sort of game.

JKnott · Jun 27, 2022, 5:08 PM

@bmeeks

Here's how it looks from outside:

Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-27 12:55 EDT
Nmap scan report for 99.123.456.789
Host is up (0.083s latency).
All 1000 scanned ports on 99.123.456.789 are in ignored states.
Not shown: 999 filtered tcp ports (no-response), 1 filtered tcp ports (host-prohibited)
Too many fingerprints match this host to give specific OS details

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.41 seconds

Sergei_Shablovsky · Jul 1, 2022, 1:44 PM

@jknott said in What can the ISP see?:

@jollycloudycheergoose

a) Why worry about it? I have Intel NICs, but I suspect I'm not alone in doing so.

Probably the reason are:

hiding from legal investigation due illegal activity;
hiding from investigation if topic starter live in Russia, China or other non-democracy country;

b) Just about everything has it's own signature in some way. Again, why worry. If they see pfSense, they know you have a better firewall than many.

That’s true. FreeBSD 12/13 have great reputation and not have so much vulnerabilities if You setup all right and not using “no name/low reputable third party software” or FreeBSD custom modification.

JollyCloudyCheergoose · Jul 7, 2022, 5:00 AM

Thanks so much to everyone who replied. This is very useful