[ntp:questions] Re: Fingerprinting hosts by clock skew

Brad Knowles brad at stop.mail-abuse.org
Wed Mar 9 22:45:33 UTC 2005

At 4:52 PM -0500 2005-03-09, mayer at gis.net wrote:

>  It's not worth bothering with all this. I've seen code that use two or
>  three ICMP messages to fingerprint your system and tell exactly what
>  you're running for O/S and hardware. You don't even need to worry about
>  the clock. It can tell just be looking at how it handles the message.

	I know about nmap, and I have some idea of how it works.  One 
problem is that a lot of places block ICMP, and many host-level 
firewalling implementations will do the same.  Operating systems like 
OpenBSD will randomize certain aspects of any response packets that 
do get sent back, and the result will be a machine that will be 
difficult or impossible to determine what they're running.

	The clock skew-based fingerprint techniques are just one 
additional method that programs like nmap might use to help them try 
to do their job just that bit better.  Which is precisely the reason 
why a serious attempt should be made to correct this weakness.

	For the NTP community, there's nothing we can do, at least on 
this one.  The work needs to be done elsewhere, by other people.  We 
can try to contact the appropriate people, but that's about it.

Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the questions mailing list