NMAP and Uptime Guessing
Posted: Wed Jun 25, 2003 9:26 pm
As some have noted, the TCP Timestamps option allows people with knowledge of the Linux TCP stack to accurately estimate the uptime of a machine.
While the timestamps can be disabled, they perform a valuable function (they can be used to determine round-trip-time which is fairly vital to preventing wastefully retransmitting data). See RFC 1323.
Currently, a number of OSs (Linux included, I believe) start this counter out at zero and then count up in a predictable fashion. It is therefore possible to determine uptime if you can identify the OS.
Nothing more than randomizing the initial value would be necessary to prevent this data from slipping. Since this information can be useful in selecting machine to attack (prioritize on machines that haven't rebooted in a while and thus may have more holes), it is probably a good idea to close this before anyone decides to exploit it.
Can we do this?
Jayson
While the timestamps can be disabled, they perform a valuable function (they can be used to determine round-trip-time which is fairly vital to preventing wastefully retransmitting data). See RFC 1323.
Currently, a number of OSs (Linux included, I believe) start this counter out at zero and then count up in a predictable fashion. It is therefore possible to determine uptime if you can identify the OS.
Nothing more than randomizing the initial value would be necessary to prevent this data from slipping. Since this information can be useful in selecting machine to attack (prioritize on machines that haven't rebooted in a while and thus may have more holes), it is probably a good idea to close this before anyone decides to exploit it.
Can we do this?
Jayson