From owner-freebsd-security  Mon Apr 16 20:45:49 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27])
	by hub.freebsd.org (Postfix) with ESMTP
	id B6B8E37B446; Mon, 16 Apr 2001 20:45:43 -0700 (PDT)
	(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id EAB9066D8B; Mon, 16 Apr 2001 20:45:42 -0700 (PDT)
Date: Mon, 16 Apr 2001 20:45:42 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: Julian Elischer <julian@elischer.org>
Cc: freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG
Subject: Re: non-random IP IDs
Message-ID: <20010416204542.A18881@xor.obsecurity.org>
References: <200104161836.EAA03291@caligula.anu.edu.au> <3ADBB93B.3C9DC3DE@elischer.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="azLHFNyN32YCQGCU"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3ADBB93B.3C9DC3DE@elischer.org>; from julian@elischer.org on Mon, Apr 16, 2001 at 08:32:11PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Apr 16, 2001 at 08:32:11PM -0700, Julian Elischer wrote:

> there is a site that calculates server uptime from these numbers.
> All the leading machines are freeBSD. When you do this it will=20
> no-longer be able to track us :-(

As explained by Mike, the uptime fingerprinting doesn't involve IP
IDs, but regardless, information leaks of this kind make it easier to
exploit various network stack vulnerabilities.

Knowing things like whether a host is idle, being able to measure the
rate at which it is generating traffic (without observing the traffic
directly), knowing its precise uptime, etc may allow you to mount
various attacks (e.g. some of the IP stack vulnerabilties discovered
in the past rely on knowing or being able to accurately guess this
information).  Not everyone may care to reduce this information
exposure (e.g. it can add processing overhead which you may not want
on a heavily-loaded server), but it should at least be made possible.

Kris

--azLHFNyN32YCQGCU
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE627xmWry0BWjoQKURAjLXAJ9IwWqtk/3MGSwR8tIu1uQy1moJOgCdEinz
o4lmxnIM7DyqMkiLWIzXmjM=
=R5nQ
-----END PGP SIGNATURE-----

--azLHFNyN32YCQGCU--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message