Bugtraq mailing list archives

By Date

By Thread

Re: TCP Timestamping and Remotely gathering uptime information

On Fri, Mar 16, 2001 at 04:52:47AM +1100, Darren Reed wrote:

So when do we change things like "uname" such that they no longer report
the system "identity" (OS, OS rev) to anyone but root ?

Why do you think all timestamps should not reveal uptime information ?

What do you think is at risk here ?

Are script kiddies going to say "ooh, he's been up for 500 days and he's
not linux, lets flood him to death" ?

Or is there something more fundamental ?

I've been asking these questions about kernel patches to hide information
that otherwise wouldn't be hidden for quite a while. I still have yet to
understand the mentality behind the hiding of information. Yes, I understand
there is information that you want to hide from a potential system cracker,
but hiding of any and all information you can seems rediculous and stupid
to me.

Then again, what do I know? I leave time, finger, and auth open on all
my machines. (And I still have yet to have one of my machines be compromised)

One potential use of uptime information to an attackers advantage is in
attacking things which use the current time (seconds, microseconds,
whatever) as a seed for some sort of thing when the start up at boot
time.  An server which has a week PRNG or similar might be at risk,
where it otherwise would not, do you think ?

I would think that either the daemon using current time as a seed or
the system's PRNG should be fixed. Fix the problems, not the symptoms.
Hiding the uptime from the remote cracker doesn't make the problem
cease to exist, and it certainly doesn't help in the case of a local
user.

But the original question is a very valid one, IMO. When do you stop hiding
information? Do we force every single machine to respond identically, so
that there is no chance of ever being able to determine OS type? Do
we modify our web servers to stop handing out Server: headers, or to
hand out bogus Server: headers?

Personally, I'd rather that time was spent fixing real security holes.

By Date

By Thread

Current thread:

• TCP Timestamping and Remotely gathering uptime information Bret (Mar 13)
  • Re: TCP Timestamping and Remotely gathering uptime information Fyodor (Mar 14)
  • <Possible follow-ups>
  • Re: TCP Timestamping and Remotely gathering uptime information Bret (Mar 15)
    • Re: TCP Timestamping and Remotely gathering uptime information Ted U (Mar 16)
    • Re: TCP Timestamping and Remotely gathering uptime information Darren Reed (Mar 16)
      • Re: TCP Timestamping and Remotely gathering uptime information Valdis Kletnieks (Mar 19)
      • Re: TCP Timestamping and Remotely gathering uptime information Saint skullY the Dazed (Mar 19)
      • Re: TCP Timestamping and Remotely gathering uptime information arivanov (Mar 19)
    • Re: TCP Timestamping and Remotely gathering uptime information Stephen White (Mar 19)
      • Re: TCP Timestamping and Remotely gathering uptime information bert hubert (Mar 20)
      • Remote fingerprinting/uptime (was Re: TCP Timestamping ...) Darren Reed (Mar 20)
      • Re: Remote fingerprinting/uptime (was Re: TCP Timestamping ...) Jason R Thorpe (Mar 22)
  • Re: TCP Timestamping and Remotely gathering uptime information Chris Tobkin (Mar 19)
  • Re: TCP Timestamping and Remotely gathering uptime information Ted U (Mar 19)
  • Re: TCP Timestamping and Remotely gathering uptime information Matt Lewis (Mar 19)
    • Re: TCP Timestamping and Remotely gathering uptime information Theo de Raadt (Mar 20)
  • Re: TCP Timestamping and Remotely gathering uptime information Darren Reed (Mar 19)
(Thread continues...)