Re: Uptime estimates and TCP timestamp offsets

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 19 Aug 2008 18:51:32 -0400
"Michael Pattrick" <mpattrick () rhinovirus org> wrote:

> On Tue, Aug 19, 2008 at 5:09 PM, David Fifield
> <david () bamsoftware com> wrote:
> > If it's messing with the low-order bits that could really screw up
> > Nmap's calculations. However, it seems this would only be the case
> > when SYN cookies are in effect, so I don't know why it appears to
> > be so prevalent. I think Linux uses SYN cookies only when it
> > suspects there's a SYN flood, because of the aforementioned
> > limitations.
>
> Its odd, I did a few more reboot-and-scan scans with only three ports
> and -T2, and got:
> Uptime: 198.838 days (since Sat Feb 02 20:54:47 2008)
> Uptime: 199.637 days (since Sat Feb 02 01:39:53 2008)
>
> Then I noticed a very interesting phenomenon, after my compter ran for
> a few minutes, i got results that were 100% accurate:
> Uptime: 0.000 days (since Tue Aug 19 17:37:27 2008)
> Uptime: 0.020 days (since Tue Aug 19 18:05:49 2008)
>
> And after that it seems impossible for me to trigger syn cookies no
> matter how many syn packets I send to the host.
>
> So does like the Debian Lenny kernel turn syn cookies on right after
> startup then turn them off later and never retrigger them?
>
> Why it would behave like this is beyond me, but hopefully someone can
> decipher this data.
>
> Cheers,
> Michael

So I decided to give this a few tries myself.

Immediately after booting up:

bmenrigh@gamma ~ $ sudo nmap -O -p- -d -v -T4 132.239.181.225 | egrep Uptime
Uptime: 49.708 days (since Tue Jul  1 06:08:36 2008)

It just so happens that 49.708 is just shy of 2^32 milliseconds...
Rollover should occur at 49.710 days (and it does):

bmenrigh@gamma ~ $ sudo nmap -O -p- -d -v -T4 132.239.181.225 | egrep Uptime
Uptime: 49.710 days (since Tue Jul  1 06:08:36 2008)
bmenrigh@gamma ~ $ sudo nmap -O -p- -d -v -T4 132.239.181.225 | egrep Uptime
Uptime: 0.000 days (since Tue Aug 19 23:11:23 2008)
bmenrigh@gamma ~ $ sudo nmap -O -p- -d -v -T4 132.239.181.225 | egrep Uptime
Uptime: 0.001 days (since Tue Aug 19 23:11:23 2008)

I tried turning on syncookies but they had no effect.

Based on the numbers I've seen, I'd say that some kernels set the 2^24
seconds bit and some set the 2^32 milliseconds bit...  I'm sure there's
more reason than rhyme to this, even if we don't see it just yet.

I tested against 2.6.26-gentoo-r1, x86_64, 1000 HZ scheduler.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkirVjwACgkQqaGPzAsl94IpKwCfT2oMVymGrSgFiQtiGsVlFhD2
2ioAn0jsvH9FfrEKqnGlzQx1uh+6p4br
=YMf2
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org