Educated Guesswork: Remote device fingerprinting with timestamps

« A pair of certificates with the same signature | Main | Ankle bracelets for aliens »

March 1, 2005

Remote device fingerprinting with timestamps

Tadayoshi Kohno, Andre Broido, and kc klaffy have an interesting paper appearing in IEEE Oakland 2005 showing how to remotely fingerprint computers by measuring the amount of clock skew. The basic idea is that you use TCP timestamps to estimate how fast or slow the remote clock is running. This doesn't give you enough information to uniquely identify the remote machine, but it does give you a way to assess whether two given machines are the same. Possible uses include determining when two machines that have the same address are in fact different machines (e.g., they're behind a NAT) or whether two machines with different IP address are actually the same machine (e.g., a honeypot). Interestingly, the clock slew measurements are quite stable even when the network path to the machine being measured changes and over long periods of time. Nice work.

Posted by ekr at March 1, 2005 8:03 PM | Filed under: