5

I know lots of websites that do clock skew fingerprinting using tcp timestamps. I know how to disable timestamps but i want to know techniques that can be used to counter clock skew fingerprinting. I read somewhere that one can spoof this clock skew based identification process by altering the system timestamp values, it is a complex procedure and requires a detailed knowledge of how the kernel interprets system time and how this system time is reflected in the default OS generated fields in packet headers.

Anyone knows how to spoof/ alter tcp timestamps?

jack
  • 51
  • 1

1 Answers1

4

As of Linux kernel commit 95a22caee396cef0bb2ca8fafdd82966a49367bb, all TCP timestamps are randomized. This allows you to mitigate clock skew fingerprinting without worrying about the issues that can arise on high-throughput connections when timestamps are disabled. Note that this commit was partially reverted due to breakages, but TCP timestamps are still randomized on a per-host basis.

See a copy of the relevant commit message, from 2016:

tcp: randomize tcp timestamp offsets for each connection

jiffies based timestamps allow for easy inference of number of devices
behind NAT translators and also makes tracking of hosts simpler.

commit ceaa1fe ("tcp: adding a per-socket timestamp offset")
added the main infrastructure that is needed for per-connection ts
randomization, in particular writing/reading the on-wire tcp header
format takes the offset into account so rest of stack can use normal
tcp_time_stamp (jiffies).

So only two items are left:
 - add a tsoffset for request sockets
 - extend the tcp isn generator to also return another 32bit number
   in addition to the ISN.

Re-use of ISN generator also means timestamps are still monotonically
increasing for same connection quadruple, i.e. PAWS will still work.

Includes fixes from Eric Dumazet.

Signed-off-by: Florian Westphal 
Acked-by: Eric Dumazet 
Acked-by: Yuchung Cheng 
Signed-off-by: David S. Miller

Prior to this change, it would have been necessary to manually patch your kernel.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
forest
  • 64,616
  • 20
  • 206
  • 257
  • That change was "committed on Dec 1, 2016". Is there an easy way to identify what released versions contain it? – Ben Voigt Apr 08 '19 at 04:30
  • @BenVoigt For mainline kernels or distro kernels? – forest Apr 08 '19 at 04:32
  • Mainline kernels (while a distro may backpatch it into a subsequent re-release of an earlier one, they shouldn't be missing it from a version derived after it enters mainstream). Although I guess there are several "official" branches, let's just use the Kroah-Hartman `-stable` releases. – Ben Voigt Apr 08 '19 at 04:34
  • `git describe --contains 95a22caee396cef0bb2ca8fafdd82966a49367bb` perhaps? – forest Apr 08 '19 at 04:35
  • Ahh, apparently that change was revised significantly because it caused breakage. https://bugzilla.redhat.com/show_bug.cgi?id=1439633 and https://github.com/torvalds/linux/commit/28ee1b746f493b7c62347d714f58fbf4f70df4f0 So it is not recommended to manually apply the patch linked in your answer. – Ben Voigt Apr 08 '19 at 04:42
  • @BenVoigt Only the per-connection aspect was revised. It still defeats clock skew fingerprinting. – forest Apr 08 '19 at 04:44
  • Agreed, just anyone doing the manual patch suggested in your last sentence should use the newer more-compatible implementation, or risk being unable to connect to some peers. – Ben Voigt Apr 08 '19 at 04:46
  • 1
    @BenVoigt The patch I linked to isn't a standalone copy of this commit but a totally different implementation (and actually for it, the meanings of setting the TCP timestamp sysctl to 1 and 2 are reversed). The manual patch was written by Brad Spengler long before this change and only does a global offset, not per-connection offset (which is what caused the breakages). – forest Apr 08 '19 at 04:49
  • Ahh, my mistake. I had assumed that "manually patch your kernel" went to an explanation of how to apply an arbitrary patch such as 95a22caee396cef0bb2ca8fafdd82966a49367bb when in fact you are providing a specific manual patch. – Ben Voigt Apr 08 '19 at 04:52
  • it does it for TCP, but what about ICMP? – Hossein Alipour Mar 23 '22 at 16:10