Re: Uptime estimates and TCP timestamp offsets

[David Fifield <david () bamsoftware com>]

On Mon, Aug 18, 2008 at 06:02:58PM -0600, David Fifield wrote:
> Nmap's estimate of uptime is based on a series of TCP timestamp
> measurements. I found this patch to the Linux kernel that allows setting
> an offset that is added to all timestamps:
>
> http://lkml.org/lkml/2008/2/15/244
>
> That would explain the observed behavior. However by doing a cursory
> check of the current versions of certain files affected by the patch, it
> doesn't appear to have been applied.

I have found more information related to the phenomenon, at least on
Linux:

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.26.y.git;a=commitdiff;h=4dfc2817025965a2fc78a18c50f540736a6b5c24;hp=15be75cdb5db442d0e33d37b20832b88f3ccd383

It's an enhancement of SYN cookies, committed back in April. I guess a
problem with SYN cookies is they support the most basic TCP options,
notably you lose SACK and window scaling for a connection using SYN
cookies. The patch gets around that by encoding extra information in the
low-order bits of the timestamp sent with the SYN/ACK.

If it's messing with the low-order bits that could really screw up
Nmap's calculations. However, it seems this would only be the case when
SYN cookies are in effect, so I don't know why it appears to be so
prevalent. I think Linux uses SYN cookies only when it suspects there's
a SYN flood, because of the aforementioned limitations.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org