[ntp:questions] Re: Fingerprinting hosts by clock skew

mayer at gis.net mayer at gis.net
Wed Mar 9 21:52:16 UTC 2005


----- Original Message Follows -----
> At 6:26 PM +0100 2005-03-09, Mxsmanic wrote:
> 
> >  Why not just build hardware RTCs that allow for extremely fine
> >  adjustments via software?  NTP could calculate the correct
> >  adjustment, then program the RTC hardware directly, ultimately
> >  producing an extraordinarily accurate hardware clock.  A clock
> >  synchronized in this way would also eliminate fingerprinting by
> >  clock skew, since the skew would soon fall to zero.
> 
>     It's not necessary.  Running NTP with current hardware is enough 
> to eliminate the ability to apply active attacks using the mechanisms 
> shown.  The problem is that passive and semi-active attacks are still 
> possible, because the clock skew corrections applied to the system 
> clock are not also applied to the TCP/IP clock, and you can still 
> measure and fingerprint the TCP clock skew.
> 
> -- 
> Brad Knowles, <brad at stop.mail-abuse.org>
> 

It's not worth bothering with all this. I've seen code that use two or
three
ICMP messages to fingerprint your system and tell exactly what you're
running
for O/S and hardware. You don't even need to worry about the clock. It
can
tell just be looking at how it handles the message.

Danny




More information about the questions mailing list