0

If I have sensitive HTTP routes that could be subject to timing attacks (trying to guess an ID, user, etc.), is there a way without modifying the application code that it could be wrapped with a network tweak, proxy, or some other program so timing attacks could be obviated?

Best I've been able to find, and it's not ideal, is just adding fixed delay with netem, but if fast and slow is (e.g.) 1 and 10 ms, would need to add a lot of delay to try to make them blur together (e.g. +100 ms, then hopefully 101 ms vs. 110 ms + random internet delay, but this isn't optimal), vs. just trying to make them all 15 ms or something.

Nick T
  • 3,382
  • 4
  • 21
  • 28
  • Why fixed? Then it would be slow is 110ms and fast is 101ms. It should be random. A straight normal distribution might lead to a camel double hump effect but would certainly blur the lines. – foreverska May 26 '22 at 15:25
  • Sorry, I meant to imply I didn't want a fixed delay added (the +100 ms), but to make them all take a uniform amount of time (e.g. 15 ms), maybe with some randomness as well. [Randomness isn't a silver bullet though](https://security.stackexchange.com/questions/96489/can-i-prevent-timing-attacks-with-random-delays?rq=1) and a few of the backend apps are off-the-shelf, so modifying them would be a lot of effort. – Nick T May 26 '22 at 15:28
  • Yea, I didn't write an answer because I don't know it. But based on "lead to a camel double hump effect" I'm glad my brain intuitively saw that silver bullet answer coming. – foreverska May 26 '22 at 16:30

0 Answers0