[19716] in bugtraq
Re: TCP Timestamping and Remotely gathering uptime information
daemon@ATHENA.MIT.EDU (Valdis Kletnieks)
Mon Mar 19 20:04:11 2001
Message-ID: <200103180517.f2I5H9d16883@foo-bar-baz.cc.vt.edu>
Date: Sun, 18 Mar 2001 00:17:09 -0500
Reply-To: Valdis.Kletnieks@VT.EDU
From: Valdis Kletnieks <Valdis.Kletnieks@VT.EDU>
X-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Fri, 16 Mar 2001 04:52:47 +1100."
<200103151752.EAA11989@cairo.anu.edu.au>
On Fri, 16 Mar 2001 04:52:47 +1100, Darren Reed <avalon@COOMBS.ANU.EDU.AU> said:
> One potential use of uptime information to an attackers advantage is in
> attacking things which use the current time (seconds, microseconds,
> whatever) as a seed for some sort of thing when the start up at boot
The first use *I* thought of was as follows:
If you know (via careful extended observation) that a given server reboots
every alternate Thursday at 4:30AM (or whenever their test time is), it
allows you to lay the groundwork for a spoofing attack or other mischief
while the spoofed machine is down for the reboot and unable to complain
about the impostor...
As a bonus - they probably will skip the reboot unless they had a config
change staged. As a result, you *know* what will get blamed for any and
all weirdness seen during the reboot - every sysadmin I know will look at
a weird message at 4:30AM and think "What did I just change, and how the
<bleep> did it cause THAT error?". ;)
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
