[ntp:questions] Re: Fingerprinting hosts by clock skew

David L. Mills mills at udel.edu
Sat Mar 5 01:28:57 UTC 2005


It doesn't work for a NTP-synchronized machine if the perp can't find 
the frequency correction determined by the protocol.

However, the most useful property of the clock frequency is to track 
systematic changes, which serves as a quite accurate thermometer. I have 
on occasion discovered a failed machine room A/C, a failed motherboard 
fan, a window left open on a cold night; the list goes on. With a 
sensitivity of about one degree per PPM and a frequency resolution of 
.001 PPM in the frequency displays, we are talking about millidegrees here.

We have NTP-synchronized machines in campus buildings running the bells 
that toll every fifteen minutes (MIDI plus PA system). I have proposed a 
campus personal navigation system using the bell tones and DECCA 
navigation technology. It could use Doppler to determine personal 
velocity as well. I should add to that proposal using NTP frequency to 
reveal outdoor temperature if the IT staff would put the computer 
outside the building in a doghouse on the roof.


Kenneth Porter wrote:
> Interesting research reported on SlashDot:
> Tracking a Specific Machine Anywhere On The Net
> http://it.slashdot.org/article.pl?sid=05/03/04/1355253
> http://www.zdnet.com.au/news/security/0,2000061744,39183346,00.htm
> Remote physical device fingerprinting
> http://www.caida.org/outreach/papers/2005/fingerprinting

More information about the questions mailing list