Abstract image of a woman sitting on books and studying on a laptop

(Still) Exploiting TCP Timestamps

F
fenceposterror

This document discusses the exploitation of TCP timestamps over time. It begins with an overview of what TCP timestamps are and their intended purpose. It then discusses various attacks that have exploited TCP timestamps to determine host uptime, identify hosts, gather network layout information, reveal hidden services, and improve OS fingerprinting. Many proposed mitigations have been shown to still be exploitable. The document argues that while solutions have been proposed, the problem has not been fully addressed. It concludes by calling for further good solutions and discussion on how to properly address the issue.

Technology
1 of 47
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
(Still) Exploiting TCP Timestamps Veit N. Hailperin1 1scip AG Hack in Paris, June 2015 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 1 / 47
About Me Security Consultant & Researcher @ scip AG @fenceposterror Bug in the matrix Disclaimer I will use IP on the slides synonym to IP address for space reasons. Timestamps allows refer to TCP timestamps if not otherwise noted. Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 2 / 47
Outline 1 What are TCP Timestamps? 2 A History of Exploitation and Failed Remediation 3 More Fun with TCP Timestamps 4 What Now? Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 3 / 47
TCP Timestamps Introduced in 1992 Described in RFC1323 Extension to provide PAWS and improved RTTM A constant, strictly monotonous increasing number Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 4 / 47
A TCP Timestamp Kind: 8 Length: 10 bytes +-------+-------+---------------------+---------------------+ |Kind=8 | 10 | TS Value (TSval) |TS Echo Reply (TSecr)| +-------+-------+---------------------+---------------------+ 1 1 4 4 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 5 / 47
Attack Vector - Timestamp 2001 - Uptime Calculation Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 6 / 47
Attack Vector - Timestamp 2001: Uptime Calculation Timestamp != Uptime Multiple timestamps ⇒ frequency of host ⇒ timestamp & frequency ⇒ uptime Uptime related to patch level Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 7 / 47
Attack Vector - Timestamp 2001: Uptime Calculation - Remediation Disable timestamps (bad idea) Randomize timestamps at boot (problems: lack of entropy, determination of initial value easy) Start each new TCP Connection with 0 (problem: still PAWS) Timestamp per IP/port pair (problem: only a question of time) More problems: Might break syn flood protection under linux Timestamp counter for each IP Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 8 / 47
Attack Vector - Timestamp 2015: Uptime Calculation Still possible1 . . . Also: timestamps observed over a longer period also lets us know their habits, e.g. when shutting down, when booting, . . . 1 It’s a tiny bit more tricky for a small group of systems Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 9 / 47
Attack Vector - Timestamp 2005 - Host Identification Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 10 / 47
Attack Vector - Timestamp 2005: Host Identification =⇒ Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 11 / 47
Attack Vector - Timestamp 2005: Host Identification - Remediation Randomizing/Zeroing timestamps (loss of functionality) Use a different counter for each connection and initialize with 0 (problem: PAWS) Like above but with randomized start (problem: PAWS) Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 12 / 47
Attack Vector - Timestamp 2015: Host Identification Still possible2 . . . 2 It’s a tiny bit more tricky for a small group of systems Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 13 / 47
Attack Vector - Clock Skew Let’s assume we did fix the aforementioned issues, are we done? no :( (Mainly) due to physical properties (heat, fabrication, . . . ) clock isn’t exact This slight imperfection of clock can be used as identifier (clock skew) Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 14 / 47
Attack Vector - Clock Skew 2005 - Host Identification Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 15 / 47
Attack Vector - Clock Skew 2005: Host Identification Possible even if host/port tuple TCP timestamp solution got implemented Multiple IPs virtually hosted not possible with timestamp (because TS per OS) With clock skew not a problem, because they share hardware Interesting to track users Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 16 / 47
Attack Vector - Clock Skew 2005: Host Identification - Remediation Reduce device’s clock skew (difficult!) Mask clock skew by multiplying timestamp with random value (breaks RFC) mod skewmask: Mask clock skew with constant Encrypt timestamps (breaks RFC) Table mapping between random 32-bit values and internal representation of real timestamps (breaks RFC) Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 17 / 47
Attack Vector - Clock Skew 2015: Host Identification Still possible3 . . . 3 Some honeypots try to avoid it Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 18 / 47
Attack Vector - Clock Skew 2005 - Network Layout Information Gathering Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 19 / 47
Attack Vector - Clock Skew 2005: Network Layout Information Gathering Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 20 / 47
Attack Vector - Clock Skew 2005: Network Layout Information Gathering - Remediation Same as for host identification Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 21 / 47
Attack Vector - Clock Skew 2015: Network Layout Information Gathering Still possible . . . Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 22 / 47
Attack Vector - Clock Skew 2006 - Reveal Hidden Services Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 23 / 47
Attack Vector - Clock Skew 2006: Reveal Hidden Services Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 24 / 47
Attack Vector - Clock Skew 2006: Reveal Hidden Services - Remediation Dummy Traffic Fixed QoS for all connections ⇒ No anonymous stream affects another (problem: potential DoS if connections idle) Oven Controlled Crystal Oscillators (OCXO) Always run at maximum CPU load Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 25 / 47
Attack Vector - Clock Skew 2015: Reveal Hidden Services Still possible . . . Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 26 / 47
Possible Targets Users Servers Conclusion More or less everyone/everything is affected Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 27 / 47
More Fun with TCP Timestamps 2015 - Reveal Active-Active Loadbalancing Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 28 / 47
More Fun with TCP Timestamps 2015 Load-Balanced Check! Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 29 / 47
More Fun with TCP Timestamps 2015 Load-Balanced Check! Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 30 / 47
More Fun with TCP Timestamps 2007/2015 - Network Layout Information Gathering Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 31 / 47
More Fun with TCP Timestamps 2015: Network Layout Information Gathering DEMO4 4 https://github.com/luh2/timestamps Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 32 / 47
More Fun with TCP Timestamps 2015: Network Layout Information Gathering Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 33 / 47
More Fun with TCP Timestamps 2015: Network Layout Information Gathering Count IPs behind a NAT (if you are the receiving end of connections) (2007) Identify hosts behind a NAT (if you have multiple ports open) (2015) TCP timestamp is the same ⇒ services on same host TCP timestamp is different ⇒ services on different hosts Some ports answer with no timestamp ⇒ Can’t tell Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 34 / 47
More Fun with TCP Timestamps 2015: Network Layout Information Gathering No tool that exploits this knowledge Does someone want to write a Nmap script? Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 35 / 47
More Fun with TCP Timestamps 2007/2015: Network Layout Information Gathering - Remediation Increment randomly (defeats RTTM) Rewrite timestamp on NAT device Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 36 / 47
More Fun with TCP Timestamps 2015 - Improve OS Fingerprints of NAT-ed Devices Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 37 / 47
More Fun with TCP Timestamps 2015 Improve OS Fingerprints Repeat: What is a OS Fingerprint? Nmap doesn’t assume aforementioned scenario, but direct fingerprinting Use knowledge which ports belong together Don’t use closed ports Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 38 / 47
More Fun with TCP Timestamps 2015 Improve Fingerprints! DEMO Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 39 / 47
Proposed Solutions Terminate TCP connection at firewall Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 40 / 47
Why Haven’t We Fixed This? Quote: Kohno et al. [. . . ] it is possible to extract security-relevant signals from data canonically considered to be noise. ”There are other ways to gather the same intel”-excuse Not considered important Not many good solutions so far Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 41 / 47
More Timestamps ICMP Timestamp (CVE-1999-0524) TLS Timestamp (Tor Bug #7277) HTTP Timestamp (Murdoch, 2013) . . . Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 42 / 47
Summary of (presented) Attacks TCP Timestamps 2001 - Uptime Calculation 2005 - Host Identification 2015 - Network Layout Information Gathering 2015 - Reveal Active-Active Loadbalancing 2015 - Improve OS Fingerprints of NAT-ed Devices Clock Skew 2005 - Host Identification / User Tracking 2005 - Network Layout Information Gathering 2006 - Reveal Hidden Services Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 43 / 47
What Now? Good solutions/suggestions welcome! Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 44 / 47
For Further Reading B. Ransford and E. Rosensweig. SkewMask: Frustrating ClockSkew Fingerprinting Attempts. December, 2007 T. Kohno, A. Broid and K. Claffy. Remote physical device fingerprinting IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 2, pp. 93–108, May 2005. S. Sharma, A. Hussain and H. Saran. Experience with heterogenous clock-skew based device fingerprinting Proceeding LASER ’12 Proceedings of the 2012 Workshop on Learning from Authoritative Security Experiment Results, Pages 9-18. B. McDanel. TCP Timestamping - Obtaining System Uptime Remotely http://www.securiteam.com/securitynews/5NP0C153PI.html, March 14, 2001 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 45 / 47
For Further Reading 2 V. Jacobson, R. Braden and D. Borman. TCP Extensions for High Performance. Network Working Group, Request for Comments: 1323, May 1992 S. Bellovin. Defending Against Sequence Number Attacks. Network Working Group, Request for Comments: 1948, May 1996 M. Silbersack. Improving TCP/IP security through randomization without sacrificing interoperability. University of Wisconsin – Milwaukee, 2005 S. Murdoch. Hot or not: revealing hidden services by their clock skew. Proceeding CCS ’06 Proceedings of the 13th ACM conference on Computer and communications security, Pages 27 - 36 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 46 / 47
So Long and Thanks For All The Fish Me: @fenceposterror Thanks to people who inspired or helped: Krzysztof Kotowicz, Stefan Friedli, Max Hailperin Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 47 / 47

More Related Content

PDF
Instrumenting Go (Gopherconindia Lightning talk by Bhasker Kode)
Bhasker Kode
 
PPT
Lecture 1
guest6c6268
 
PDF
Concurrency and Python - PyCon MY 2015
Boey Pak Cheong
 
PDF
Recursion & Erlang, FunctionalConf 14, Bangalore
Bhasker Kode
 
PDF
Run time
Royalzig Luxury Furniture
 
PDF
Using GTP on Linux with libgtpnl
Kentaro Ebisawa
 
PPTX
Μεταπρογραµµατισµός κώδικα Python σε γλώσσα γραµµικού χρόνου για αυτόµατη επα...
ISSEL
 
PPTX
An example transition to 1687-based mixed-signal DFT
Pete Sarson, PH.D
 
Instrumenting Go (Gopherconindia Lightning talk by Bhasker Kode)
Bhasker Kode
 
Lecture 1
guest6c6268
 
Concurrency and Python - PyCon MY 2015
Boey Pak Cheong
 
Recursion & Erlang, FunctionalConf 14, Bangalore
Bhasker Kode
 
Run time
Royalzig Luxury Furniture
 
Using GTP on Linux with libgtpnl
Kentaro Ebisawa
 
Μεταπρογραµµατισµός κώδικα Python σε γλώσσα γραµµικού χρόνου για αυτόµατη επα...
ISSEL
 
An example transition to 1687-based mixed-signal DFT
Pete Sarson, PH.D
 

What's hot (20)

PDF
(Open) MPI, Parallel Computing, Life, the Universe, and Everything
Jeff Squyres
 
PDF
Cypher for Gremlin
openCypher
 
PPTX
Compiling P4 to XDP, IOVISOR Summit 2017
Cheng-Chun William Tu
 
PPTX
Building the Internet of Things with Thingsquare and Contiki - day 2 part 1
Adam Dunkels
 
PDF
Open MPI State of the Union X SC'16 BOF
Jeff Squyres
 
PDF
The Compatibility Challenge:Examining R and Developing TERR
Lou Bajuk
 
PPTX
Network Layer Part 6
Tutun Juhana
 
PDF
OperatingSystemChp3
Dwight Sabio
 
PPTX
SWIFT: Tango's Infrastructure For Real-Time Video Call Service
Meng ZHANG
 
PPTX
The Onward Journey: Porting Twisted to Python 3
Craig Rodrigues
 
PPTX
0.5mln packets per second with Erlang
Maxim Kharchenko
 
PPTX
Building the Internet of Things with Thingsquare and Contiki - day 1, part 2
Adam Dunkels
 
PDF
Logging library migrations - A case study for the Apache Software Foundation ...
corpaulbezemer
 
PPT
OSTU - Wireshark Capture Filters (by Ray Tompkins)
Denny K Miu
 
PDF
Ph.D Defense Clément Béra
Clément Béra
 
DOCX
ECET 365 Exceptional Education / snaptutorial.com
donaldzs109
 
PDF
2nd RINASim Webinar
Vladimír Veselý
 
DOC
Ecet 365 Education Redefined - snaptutorial.com
DavisMurphyC85
 
PPTX
Compiler design
Shashwat Shriparv
 
PDF
Wireshark ppt
bala150985
 
(Open) MPI, Parallel Computing, Life, the Universe, and Everything
Jeff Squyres
 
Cypher for Gremlin
openCypher
 
Compiling P4 to XDP, IOVISOR Summit 2017
Cheng-Chun William Tu
 
Building the Internet of Things with Thingsquare and Contiki - day 2 part 1
Adam Dunkels
 
Open MPI State of the Union X SC'16 BOF
Jeff Squyres
 
The Compatibility Challenge:Examining R and Developing TERR
Lou Bajuk
 
Network Layer Part 6
Tutun Juhana
 
OperatingSystemChp3
Dwight Sabio
 
SWIFT: Tango's Infrastructure For Real-Time Video Call Service
Meng ZHANG
 
The Onward Journey: Porting Twisted to Python 3
Craig Rodrigues
 
0.5mln packets per second with Erlang
Maxim Kharchenko
 
Building the Internet of Things with Thingsquare and Contiki - day 1, part 2
Adam Dunkels
 
Logging library migrations - A case study for the Apache Software Foundation ...
corpaulbezemer
 
OSTU - Wireshark Capture Filters (by Ray Tompkins)
Denny K Miu
 
Ph.D Defense Clément Béra
Clément Béra
 
ECET 365 Exceptional Education / snaptutorial.com
donaldzs109
 
2nd RINASim Webinar
Vladimír Veselý
 
Ecet 365 Education Redefined - snaptutorial.com
DavisMurphyC85
 
Compiler design
Shashwat Shriparv
 
Wireshark ppt
bala150985
 
Ad

Similar to (Still) Exploiting TCP Timestamps (20)

PPT
Black ops of tcp2005 japan
Dan Kaminsky
 
PDF
Having Honeypot for Better Network Security Analysis
Bangladesh Network Operators Group
 
PDF
12 Years in DNS Security As a Defender
Bangladesh Network Operators Group
 
PPTX
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
OWASP Delhi
 
PDF
TCP Sorcery
Security B-Sides
 
PDF
Adversary Pattern Analysis - A Journey with APNIC Honeypot
A. S. M. Shamim Reza
 
PDF
PRADS presentation (English) @ University of Oslo by Ebf0 and kwy
Rubén Romero
 
PDF
Network Threat Hunting Training - 202308.pdf
Ari Setiawan
 
PPT
Dmk blackops2006 ccc
Dan Kaminsky
 
PPT
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 
PPTX
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
PDF
Penetration Testing Services Technical Description Cyber51
martinvoelk
 
DOCX
For your final step, you will synthesize the previous steps and la
ShainaBoling829
 
PPT
CS10NETWOKSecurityhdhgsfdhsdheahgqergd.ppt
mohammednisath
 
PPTX
Network monitoring system
MyPresentations Services
 
PDF
ACS-2010
Bob Radvanovsky
 
PDF
DDoS Attack on DNS using infected IoT Devices
Seungjoo Kim
 
PDF
Отчет Audit report RAPID7
Sergey Yrievich
 
PDF
Report PAPID 7
Sergey Yrievich
 
PDF
network-security-arch Firewall Access Control.pdf
ssuser1f701f
 
Black ops of tcp2005 japan
Dan Kaminsky
 
Having Honeypot for Better Network Security Analysis
Bangladesh Network Operators Group
 
12 Years in DNS Security As a Defender
Bangladesh Network Operators Group
 
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
OWASP Delhi
 
TCP Sorcery
Security B-Sides
 
Adversary Pattern Analysis - A Journey with APNIC Honeypot
A. S. M. Shamim Reza
 
PRADS presentation (English) @ University of Oslo by Ebf0 and kwy
Rubén Romero
 
Network Threat Hunting Training - 202308.pdf
Ari Setiawan
 
Dmk blackops2006 ccc
Dan Kaminsky
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Penetration Testing Services Technical Description Cyber51
martinvoelk
 
For your final step, you will synthesize the previous steps and la
ShainaBoling829
 
CS10NETWOKSecurityhdhgsfdhsdheahgqergd.ppt
mohammednisath
 
Network monitoring system
MyPresentations Services
 
ACS-2010
Bob Radvanovsky
 
DDoS Attack on DNS using infected IoT Devices
Seungjoo Kim
 
Отчет Audit report RAPID7
Sergey Yrievich
 
Report PAPID 7
Sergey Yrievich
 
network-security-arch Firewall Access Control.pdf
ssuser1f701f
 
Ad

Recently uploaded (20)

PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
Abstractive summarization using multilingual text-to-text transfer transforme...
IAESIJAI
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
PDF
Two-dimensional Klein-Gordon and Sine-Gordon numerical solutions based on dee...
IAESIJAI
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PPTX
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Abstractive summarization using multilingual text-to-text transfer transforme...
IAESIJAI
 
What is a Computer? Input Devices /output devices
GulJan8
 
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
The various Industrial Revolutions .pptx
bandileshozi3
 
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
Configure Apache Mutual Authentication
Antonino Piraino
 
Two-dimensional Klein-Gordon and Sine-Gordon numerical solutions based on dee...
IAESIJAI
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 

(Still) Exploiting TCP Timestamps

  • 1. (Still) Exploiting TCP Timestamps Veit N. Hailperin1 1scip AG Hack in Paris, June 2015 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 1 / 47
  • 2. About Me Security Consultant & Researcher @ scip AG @fenceposterror Bug in the matrix Disclaimer I will use IP on the slides synonym to IP address for space reasons. Timestamps allows refer to TCP timestamps if not otherwise noted. Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 2 / 47
  • 3. Outline 1 What are TCP Timestamps? 2 A History of Exploitation and Failed Remediation 3 More Fun with TCP Timestamps 4 What Now? Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 3 / 47
  • 4. TCP Timestamps Introduced in 1992 Described in RFC1323 Extension to provide PAWS and improved RTTM A constant, strictly monotonous increasing number Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 4 / 47
  • 5. A TCP Timestamp Kind: 8 Length: 10 bytes +-------+-------+---------------------+---------------------+ |Kind=8 | 10 | TS Value (TSval) |TS Echo Reply (TSecr)| +-------+-------+---------------------+---------------------+ 1 1 4 4 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 5 / 47
  • 6. Attack Vector - Timestamp 2001 - Uptime Calculation Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 6 / 47
  • 7. Attack Vector - Timestamp 2001: Uptime Calculation Timestamp != Uptime Multiple timestamps ⇒ frequency of host ⇒ timestamp & frequency ⇒ uptime Uptime related to patch level Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 7 / 47
  • 8. Attack Vector - Timestamp 2001: Uptime Calculation - Remediation Disable timestamps (bad idea) Randomize timestamps at boot (problems: lack of entropy, determination of initial value easy) Start each new TCP Connection with 0 (problem: still PAWS) Timestamp per IP/port pair (problem: only a question of time) More problems: Might break syn flood protection under linux Timestamp counter for each IP Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 8 / 47
  • 9. Attack Vector - Timestamp 2015: Uptime Calculation Still possible1 . . . Also: timestamps observed over a longer period also lets us know their habits, e.g. when shutting down, when booting, . . . 1 It’s a tiny bit more tricky for a small group of systems Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 9 / 47
  • 10. Attack Vector - Timestamp 2005 - Host Identification Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 10 / 47
  • 11. Attack Vector - Timestamp 2005: Host Identification =⇒ Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 11 / 47
  • 12. Attack Vector - Timestamp 2005: Host Identification - Remediation Randomizing/Zeroing timestamps (loss of functionality) Use a different counter for each connection and initialize with 0 (problem: PAWS) Like above but with randomized start (problem: PAWS) Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 12 / 47
  • 13. Attack Vector - Timestamp 2015: Host Identification Still possible2 . . . 2 It’s a tiny bit more tricky for a small group of systems Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 13 / 47
  • 14. Attack Vector - Clock Skew Let’s assume we did fix the aforementioned issues, are we done? no :( (Mainly) due to physical properties (heat, fabrication, . . . ) clock isn’t exact This slight imperfection of clock can be used as identifier (clock skew) Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 14 / 47
  • 15. Attack Vector - Clock Skew 2005 - Host Identification Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 15 / 47
  • 16. Attack Vector - Clock Skew 2005: Host Identification Possible even if host/port tuple TCP timestamp solution got implemented Multiple IPs virtually hosted not possible with timestamp (because TS per OS) With clock skew not a problem, because they share hardware Interesting to track users Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 16 / 47
  • 17. Attack Vector - Clock Skew 2005: Host Identification - Remediation Reduce device’s clock skew (difficult!) Mask clock skew by multiplying timestamp with random value (breaks RFC) mod skewmask: Mask clock skew with constant Encrypt timestamps (breaks RFC) Table mapping between random 32-bit values and internal representation of real timestamps (breaks RFC) Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 17 / 47
  • 18. Attack Vector - Clock Skew 2015: Host Identification Still possible3 . . . 3 Some honeypots try to avoid it Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 18 / 47
  • 19. Attack Vector - Clock Skew 2005 - Network Layout Information Gathering Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 19 / 47
  • 20. Attack Vector - Clock Skew 2005: Network Layout Information Gathering Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 20 / 47
  • 21. Attack Vector - Clock Skew 2005: Network Layout Information Gathering - Remediation Same as for host identification Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 21 / 47
  • 22. Attack Vector - Clock Skew 2015: Network Layout Information Gathering Still possible . . . Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 22 / 47
  • 23. Attack Vector - Clock Skew 2006 - Reveal Hidden Services Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 23 / 47
  • 24. Attack Vector - Clock Skew 2006: Reveal Hidden Services Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 24 / 47
  • 25. Attack Vector - Clock Skew 2006: Reveal Hidden Services - Remediation Dummy Traffic Fixed QoS for all connections ⇒ No anonymous stream affects another (problem: potential DoS if connections idle) Oven Controlled Crystal Oscillators (OCXO) Always run at maximum CPU load Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 25 / 47
  • 26. Attack Vector - Clock Skew 2015: Reveal Hidden Services Still possible . . . Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 26 / 47
  • 27. Possible Targets Users Servers Conclusion More or less everyone/everything is affected Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 27 / 47
  • 28. More Fun with TCP Timestamps 2015 - Reveal Active-Active Loadbalancing Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 28 / 47
  • 29. More Fun with TCP Timestamps 2015 Load-Balanced Check! Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 29 / 47
  • 30. More Fun with TCP Timestamps 2015 Load-Balanced Check! Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 30 / 47
  • 31. More Fun with TCP Timestamps 2007/2015 - Network Layout Information Gathering Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 31 / 47
  • 32. More Fun with TCP Timestamps 2015: Network Layout Information Gathering DEMO4 4 https://github.com/luh2/timestamps Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 32 / 47
  • 33. More Fun with TCP Timestamps 2015: Network Layout Information Gathering Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 33 / 47
  • 34. More Fun with TCP Timestamps 2015: Network Layout Information Gathering Count IPs behind a NAT (if you are the receiving end of connections) (2007) Identify hosts behind a NAT (if you have multiple ports open) (2015) TCP timestamp is the same ⇒ services on same host TCP timestamp is different ⇒ services on different hosts Some ports answer with no timestamp ⇒ Can’t tell Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 34 / 47
  • 35. More Fun with TCP Timestamps 2015: Network Layout Information Gathering No tool that exploits this knowledge Does someone want to write a Nmap script? Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 35 / 47
  • 36. More Fun with TCP Timestamps 2007/2015: Network Layout Information Gathering - Remediation Increment randomly (defeats RTTM) Rewrite timestamp on NAT device Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 36 / 47
  • 37. More Fun with TCP Timestamps 2015 - Improve OS Fingerprints of NAT-ed Devices Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 37 / 47
  • 38. More Fun with TCP Timestamps 2015 Improve OS Fingerprints Repeat: What is a OS Fingerprint? Nmap doesn’t assume aforementioned scenario, but direct fingerprinting Use knowledge which ports belong together Don’t use closed ports Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 38 / 47
  • 39. More Fun with TCP Timestamps 2015 Improve Fingerprints! DEMO Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 39 / 47
  • 40. Proposed Solutions Terminate TCP connection at firewall Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 40 / 47
  • 41. Why Haven’t We Fixed This? Quote: Kohno et al. [. . . ] it is possible to extract security-relevant signals from data canonically considered to be noise. ”There are other ways to gather the same intel”-excuse Not considered important Not many good solutions so far Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 41 / 47
  • 42. More Timestamps ICMP Timestamp (CVE-1999-0524) TLS Timestamp (Tor Bug #7277) HTTP Timestamp (Murdoch, 2013) . . . Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 42 / 47
  • 43. Summary of (presented) Attacks TCP Timestamps 2001 - Uptime Calculation 2005 - Host Identification 2015 - Network Layout Information Gathering 2015 - Reveal Active-Active Loadbalancing 2015 - Improve OS Fingerprints of NAT-ed Devices Clock Skew 2005 - Host Identification / User Tracking 2005 - Network Layout Information Gathering 2006 - Reveal Hidden Services Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 43 / 47
  • 44. What Now? Good solutions/suggestions welcome! Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 44 / 47
  • 45. For Further Reading B. Ransford and E. Rosensweig. SkewMask: Frustrating ClockSkew Fingerprinting Attempts. December, 2007 T. Kohno, A. Broid and K. Claffy. Remote physical device fingerprinting IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 2, pp. 93–108, May 2005. S. Sharma, A. Hussain and H. Saran. Experience with heterogenous clock-skew based device fingerprinting Proceeding LASER ’12 Proceedings of the 2012 Workshop on Learning from Authoritative Security Experiment Results, Pages 9-18. B. McDanel. TCP Timestamping - Obtaining System Uptime Remotely http://www.securiteam.com/securitynews/5NP0C153PI.html, March 14, 2001 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 45 / 47
  • 46. For Further Reading 2 V. Jacobson, R. Braden and D. Borman. TCP Extensions for High Performance. Network Working Group, Request for Comments: 1323, May 1992 S. Bellovin. Defending Against Sequence Number Attacks. Network Working Group, Request for Comments: 1948, May 1996 M. Silbersack. Improving TCP/IP security through randomization without sacrificing interoperability. University of Wisconsin – Milwaukee, 2005 S. Murdoch. Hot or not: revealing hidden services by their clock skew. Proceeding CCS ’06 Proceedings of the 13th ACM conference on Computer and communications security, Pages 27 - 36 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 46 / 47
  • 47. So Long and Thanks For All The Fish Me: @fenceposterror Thanks to people who inspired or helped: Krzysztof Kotowicz, Stefan Friedli, Max Hailperin Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 47 / 47