Re: Clock slew vulnerability in FreeBSD?
On Mar 10, 2005, at 10:44 PM, Anthony Atkielski wrote: Kris Kennaway writes: Isn't this a non-problem if you use ntpd? Unfortunately, no, because the TCP stacks on most systems don't use the disciplined clock provided by NTP for the timestamps. Instead they use a clock based directly on the RTC, which reveals a characteristic skew that is unique to each machine. If the stacks used the NTP-disciplined actual time of day, plus perhaps a randomizing factor to avoid revealing patterns, this technique would become useless. Wouldn't the skew resolution necessary for this tracking technique become useless with temperature variations, humidity, etc. that can affect most systems over the course of the day/week/year? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Clock slew vulnerability in FreeBSD?
Bart Silverstrim writes: Wouldn't the skew resolution necessary for this tracking technique become useless with temperature variations, humidity, etc. that can affect most systems over the course of the day/week/year? That's one of my questions, too. A technique that could identify 100 million different computers (as some people have speculated) would need reliable precision to at least nine decimal places. That's a pretty tall order for something like measurement of clock slewing in TCP packets. There are other related problems. So you identify computer A using its unique clock slew. How do you prove that in court? If you move the machine, or if you change anything about it, the RTC is likely to vary a bit, changing the slew to a different value. Just temperature variations in the room can do that. -- Anthony ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Clock slew vulnerability in FreeBSD?
Is this technically a vulnerability, or is it just a side-effect of how computers operate? I was of the impression that this is quite an unavoidable issue, given how it seems to apply to any computer regardless of OS, but I haven't researched the issue much myself. Interesting question. Anthony Atkielski wrote: How vulnerable is FreeBSD to the recently announced technique for individually identifying computers by the clock slew apparent in TCP packets? If it is vulnerable to this, will there be any plans to address the vulnerability? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Clock slew vulnerability in FreeBSD?
On Fri, Mar 11, 2005 at 03:45:39AM +0100, Anthony Atkielski wrote: How vulnerable is FreeBSD to the recently announced technique for individually identifying computers by the clock slew apparent in TCP packets? If it is vulnerable to this, will there be any plans to address the vulnerability? Isn't this a non-problem if you use ntpd? Kris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Clock slew vulnerability in FreeBSD?
Bnonn writes: Is this technically a vulnerability, or is it just a side-effect of how computers operate? It's a vulnerability in the sense that it can leak confidential information about a system's identity. It's not a side-effect of how computers operate, but rather a side-effect of how most TCP stacks are implemented. I was of the impression that this is quite an unavoidable issue, given how it seems to apply to any computer regardless of OS, but I haven't researched the issue much myself. Interesting question. It seems to be unavoidable only in the sense that most operating systems are not designed to protect against it (yet). I think the claims of the researchers are overly optimistic, but time will tell. In any case, in the interest of security, it would be nice to see it addressed. I read that FreeBSD can be configured to avoid the problem completely by disabling the timestamps upon which the technique depends, but I don't remember the details. And if one still wants to use timestamps, it would be good if they could be used without leaking any information. -- Anthony ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Clock slew vulnerability in FreeBSD?
Kris Kennaway writes: Isn't this a non-problem if you use ntpd? Unfortunately, no, because the TCP stacks on most systems don't use the disciplined clock provided by NTP for the timestamps. Instead they use a clock based directly on the RTC, which reveals a characteristic skew that is unique to each machine. If the stacks used the NTP-disciplined actual time of day, plus perhaps a randomizing factor to avoid revealing patterns, this technique would become useless. -- Anthony ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Clock slew vulnerability in FreeBSD?
Your talking about this: http://www.caida.org/outreach/papers/2005/fingerprinting/ From educatedguesswork.org: The basic idea is that you use TCP timestamps to estimate how fast or slow the remote clock is running. This doesn't give you enough information to uniquely identify the remote machine, but it does give you a way to assess whether two given machines are the same. Possible uses include determining when two machines that have the same address are in fact different machines (e.g., they're behind a NAT) or whether two machines with different IP address are actually the same machine (e.g., a honeypot). Anthony, I think your a bit mistaken in your description. This does not appear to be much of a security hole. NAT's are defacto these days on the Internet and any cracker is going to assume that there's a good chance he's attacking a NAT. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Anthony Atkielski Sent: Thursday, March 10, 2005 6:46 PM To: freebsd-questions@freebsd.org Subject: Clock slew vulnerability in FreeBSD? How vulnerable is FreeBSD to the recently announced technique for individually identifying computers by the clock slew apparent in TCP packets? If it is vulnerable to this, will there be any plans to address the vulnerability? -- Anthony ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]