Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP Timestamping and Remotely gathering uptime information

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Sun, 18 Mar 2001 00:17:09 -0500
On Fri, 16 Mar 2001 04:52:47 +1100, Darren Reed <avalon () COOMBS ANU EDU AU>  said:

One potential use of uptime information to an attackers advantage is in
attacking things which use the current time (seconds, microseconds,
whatever) as a seed for some sort of thing when the start up at boot


The first use *I* thought of was as follows:

If you know (via careful extended observation) that a given server reboots
every alternate Thursday at 4:30AM (or whenever their test time is), it
allows you to lay the groundwork for a spoofing attack or other mischief
while the spoofed machine is down for the reboot and unable to complain
about the impostor...

As a bonus - they probably will skip the reboot unless they had a config
change staged.  As a result, you *know* what will get blamed for any and
all weirdness seen during the reboot - every sysadmin I know will look at
a weird message at 4:30AM and think "What did I just change, and how the
<bleep> did it cause THAT error?". ;)

                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech
Previous By Date Next
Previous By Thread Next

Current thread: