On Mon, Jun 18, 2001 at 07:25:37PM +0100, Tim Haynes wrote:
> But that said, I gather leaking one's timestamp is not a good thing
> (leaking *anything* is not really any good). I'm no Kerberos user, but I
> heard you can do time-dependent auth in that a given ticket is good until
> <whenever>. I wouldn't want someone to know exactly what time my boxes
> thought it was.
So I assume you stay very clear of any kind of time synchronization
(ntpd and the like). In order for things like Kerberos to work (BTW, I
am a kerberos user) the client machines have to be very closely
synchronized with the authentication server. NTP is how this is done.
Giving out your time via either the daytime or time simple service is
not giving out any info that's not already available to anybody who
cares to look.
> > The potential exists to use the chargen feature as a part of a DoS
> > attack, but I've not heard of it ever being used as it's not particularly
> > effective unless you have many many machines available, and even then
> > there are much more effective weapons.
>
> <http://www.sans.org/infosecFAQ/malicious/naptha.htm>, btw. Why bother
> hooking /dev/{zero,null} onto the net with netcat when you can cause a fair
> bit of traffic with standard services that do much the same thing?
Yes, but you know what? 'ping -f' works just as good, if not better.
Do you have ICMP filtered at your router?
--
_______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpcunRaGt9Oi.pgp
Description: PGP signature