[ntp:questions] Re: Fingerprinting hosts by clock skew

mayer at gis.net mayer at gis.net
Wed Mar 9 21:52:16 UTC 2005

----- Original Message Follows -----
> At 6:26 PM +0100 2005-03-09, Mxsmanic wrote:
> >  Why not just build hardware RTCs that allow for extremely fine
> >  adjustments via software?  NTP could calculate the correct
> >  adjustment, then program the RTC hardware directly, ultimately
> >  producing an extraordinarily accurate hardware clock.  A clock
> >  synchronized in this way would also eliminate fingerprinting by
> >  clock skew, since the skew would soon fall to zero.
>     It's not necessary.  Running NTP with current hardware is enough 
> to eliminate the ability to apply active attacks using the mechanisms 
> shown.  The problem is that passive and semi-active attacks are still 
> possible, because the clock skew corrections applied to the system 
> clock are not also applied to the TCP/IP clock, and you can still 
> measure and fingerprint the TCP clock skew.
> -- 
> Brad Knowles, <brad at stop.mail-abuse.org>

It's not worth bothering with all this. I've seen code that use two or
ICMP messages to fingerprint your system and tell exactly what you're
for O/S and hardware. You don't even need to worry about the clock. It
tell just be looking at how it handles the message.


More information about the questions mailing list