Re: Uptime estimates and TCP timestamp offsets

["Michael Pattrick" <mpattrick () rhinovirus org>]

On Tue, Aug 19, 2008 at 5:09 PM, David Fifield <david () bamsoftware com> wrote:
> If it's messing with the low-order bits that could really screw up
> Nmap's calculations. However, it seems this would only be the case when
> SYN cookies are in effect, so I don't know why it appears to be so
> prevalent. I think Linux uses SYN cookies only when it suspects there's
> a SYN flood, because of the aforementioned limitations.

Its odd, I did a few more reboot-and-scan scans with only three ports
and -T2, and got:
Uptime: 198.838 days (since Sat Feb 02 20:54:47 2008)
Uptime: 199.637 days (since Sat Feb 02 01:39:53 2008)

Then I noticed a very interesting phenomenon, after my compter ran for
a few minutes, i got results that were 100% accurate:
Uptime: 0.000 days (since Tue Aug 19 17:37:27 2008)
Uptime: 0.020 days (since Tue Aug 19 18:05:49 2008)

And after that it seems impossible for me to trigger syn cookies no
matter how many syn packets I send to the host.

So does like the Debian Lenny kernel turn syn cookies on right after
startup then turn them off later and never retrigger them?

Why it would behave like this is beyond me, but hopefully someone can
decipher this data.

Cheers,
Michael

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org