still exploiting tcp timestamps
play

(Still) Exploiting TCP Timestamps Veit N. Hailperin 1 1 scip AG Hack - PowerPoint PPT Presentation

May 08, 2023 •152 likes •623 views

(Still) Exploiting TCP Timestamps Veit N. Hailperin 1 1 scip AG Hack in Paris, June 2015 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 1 / 47 About Me Security Consultant & Researcher @ scip AG @fenceposterror

  1. (Still) Exploiting TCP Timestamps Veit N. Hailperin 1 1 scip AG Hack in Paris, June 2015 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 1 / 47

  2. About Me Security Consultant & Researcher @ scip AG @fenceposterror Bug in the matrix Disclaimer I will use IP on the slides synonym to IP address for space reasons. Timestamps allows refer to TCP timestamps if not otherwise noted. Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 2 / 47

  3. Outline What are TCP Timestamps? 1 A History of Exploitation and Failed Remediation 2 More Fun with TCP Timestamps 3 What Now? 4 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 3 / 47

  4. TCP Timestamps Introduced in 1992 Described in RFC1323 Extension to provide PAWS and improved RTTM A constant, strictly monotonous increasing number Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 4 / 47

  5. A TCP Timestamp Kind: 8 Length: 10 bytes +-------+-------+---------------------+---------------------+ |Kind=8 | 10 | TS Value (TSval) |TS Echo Reply (TSecr)| +-------+-------+---------------------+---------------------+ 1 1 4 4 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 5 / 47

  6. Attack Vector - Timestamp 2001 - Uptime Calculation Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 6 / 47

  7. Attack Vector - Timestamp 2001: Uptime Calculation Timestamp != Uptime Multiple timestamps ⇒ frequency of host ⇒ timestamp & frequency ⇒ uptime Uptime related to patch level Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 7 / 47

  8. Attack Vector - Timestamp 2001: Uptime Calculation - Remediation Disable timestamps (bad idea) Randomize timestamps at boot (problems: lack of entropy, determination of initial value easy) Start each new TCP Connection with 0 (problem: still PAWS) Timestamp per IP/port pair (problem: only a question of time) More problems: Might break syn flood protection under linux Timestamp counter for each IP Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 8 / 47

  9. Attack Vector - Timestamp 2015: Uptime Calculation Still possible 1 . . . Also: timestamps observed over a longer period also lets us know their habits, e.g. when shutting down, when booting, . . . 1 It’s a tiny bit more tricky for a small group of systems Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 9 / 47

  10. Attack Vector - Timestamp 2005 - Host Identification Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 10 / 47

  11. Attack Vector - Timestamp 2005: Host Identification = ⇒ Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 11 / 47

  12. Attack Vector - Timestamp 2005: Host Identification - Remediation Randomizing/Zeroing timestamps (loss of functionality) Use a different counter for each connection and initialize with 0 (problem: PAWS) Like above but with randomized start (problem: PAWS) Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 12 / 47

  13. Attack Vector - Timestamp 2015: Host Identification Still possible 2 . . . 2 It’s a tiny bit more tricky for a small group of systems Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 13 / 47

  14. Attack Vector - Clock Skew Let’s assume we did fix the aforementioned issues, are we done? no :( (Mainly) due to physical properties (heat, fabrication, . . . ) clock isn’t exact This slight imperfection of clock can be used as identifier (clock skew) Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 14 / 47

  15. Attack Vector - Clock Skew 2005 - Host Identification Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 15 / 47

  16. Attack Vector - Clock Skew 2005: Host Identification Possible even if host/port tuple TCP timestamp solution got implemented Multiple IPs virtually hosted not possible with timestamp (because TS per OS) With clock skew not a problem, because they share hardware Interesting to track users Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 16 / 47

  17. Attack Vector - Clock Skew 2005: Host Identification - Remediation Reduce device’s clock skew (difficult!) Mask clock skew by multiplying timestamp with random value (breaks RFC) mod skewmask: Mask clock skew with constant Encrypt timestamps (breaks RFC) Table mapping between random 32-bit values and internal representation of real timestamps (breaks RFC) Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 17 / 47

  18. Attack Vector - Clock Skew 2015: Host Identification Still possible 3 . . . 3 Some honeypots try to avoid it Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 18 / 47

  19. Attack Vector - Clock Skew 2005 - Network Layout Information Gathering Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 19 / 47

  20. Attack Vector - Clock Skew 2005: Network Layout Information Gathering Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 20 / 47

  21. Attack Vector - Clock Skew 2005: Network Layout Information Gathering - Remediation Same as for host identification Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 21 / 47

  22. Attack Vector - Clock Skew 2015: Network Layout Information Gathering Still possible . . . Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 22 / 47

  23. Attack Vector - Clock Skew 2006 - Reveal Hidden Services Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 23 / 47

  24. Attack Vector - Clock Skew 2006: Reveal Hidden Services Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 24 / 47

  25. Attack Vector - Clock Skew 2006: Reveal Hidden Services - Remediation Dummy Traffic Fixed QoS for all connections ⇒ No anonymous stream affects another (problem: potential DoS if connections idle) Oven Controlled Crystal Oscillators (OCXO) Always run at maximum CPU load Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 25 / 47

  26. Attack Vector - Clock Skew 2015: Reveal Hidden Services Still possible . . . Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 26 / 47

  27. Possible Targets Users Servers Conclusion More or less everyone/everything is affected Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 27 / 47

  28. More Fun with TCP Timestamps 2015 - Reveal Active-Active Loadbalancing Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 28 / 47

  29. More Fun with TCP Timestamps 2015 Load-Balanced Check! Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 29 / 47

  30. More Fun with TCP Timestamps 2015 Load-Balanced Check! Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 30 / 47

  31. More Fun with TCP Timestamps 2007/2015 - Network Layout Information Gathering Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 31 / 47

  32. More Fun with TCP Timestamps 2015: Network Layout Information Gathering DEMO 4 4 https://github.com/luh2/timestamps Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 32 / 47

  33. More Fun with TCP Timestamps 2015: Network Layout Information Gathering Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 33 / 47

  34. More Fun with TCP Timestamps 2015: Network Layout Information Gathering Count IPs behind a NAT (if you are the receiving end of connections) (2007) Identify hosts behind a NAT (if you have multiple ports open) (2015) TCP timestamp is the same ⇒ services on same host TCP timestamp is different ⇒ services on different hosts Some ports answer with no timestamp ⇒ Can’t tell Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 34 / 47

  35. More Fun with TCP Timestamps 2015: Network Layout Information Gathering No tool that exploits this knowledge Does someone want to write a Nmap script? Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 35 / 47

  36. More Fun with TCP Timestamps 2007/2015: Network Layout Information Gathering - Remediation Increment randomly (defeats RTTM) Rewrite timestamp on NAT device Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 36 / 47

  37. More Fun with TCP Timestamps 2015 - Improve OS Fingerprints of NAT-ed Devices Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 37 / 47

  38. More Fun with TCP Timestamps 2015 Improve OS Fingerprints Repeat: What is a OS Fingerprint? Nmap doesn’t assume aforementioned scenario, but direct fingerprinting Use knowledge which ports belong together Don’t use closed ports Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 38 / 47

  39. More Fun with TCP Timestamps 2015 Improve Fingerprints! DEMO Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 39 / 47

  40. Proposed Solutions Terminate TCP connection at firewall Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 40 / 47

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Timestamps in Security Protocols One method of handling this kind of problem is timestamps

Timestamps in Security Protocols One method of handling this kind of problem is timestamps

Timestamps in Security Protocols One method of handling this kind of problem is timestamps Proper use of timestamps can limit the time during which an exposed key is dangerous But timestamps have their own problems Lecture 6 Page 1

359 views • 9 slides
TCP Options for Low Latency: Maximum ACK Delay and Microsecond Timestamps Neal Cardwell Yuchung

TCP Options for Low Latency: Maximum ACK Delay and Microsecond Timestamps Neal Cardwell Yuchung

TCP Options for Low Latency: Maximum ACK Delay and Microsecond Timestamps Neal Cardwell Yuchung Cheng Eric Dumazet IETF 97: Seoul, Nov 2016 Motivation: lower latency, higher throughput Datacenters with commodity 10Gbps Ethernet: RTT <100

1.16k views • 10 slides
Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data Gerome Miklau University of Massachusetts, Amherst DIMACS Workshop on Recent Work on Di ff erential Privacy across Computer Science October 2012

1.39k views • 136 slides
Important Lessons Lamport & vector clocks both give a logical timestamps Total

Important Lessons Lamport & vector clocks both give a logical timestamps Total

Important Lessons Lamport & vector clocks both give a logical timestamps Total ordering vs. causal ordering Other issues in coordinating node activities Exclusive access to resources/

150 views • 10 slides
Getting Timestamps Right Martin Konrad Control System Engineer This material is based upon work

Getting Timestamps Right Martin Konrad Control System Engineer This material is based upon work

Getting Timestamps Right Martin Konrad Control System Engineer This material is based upon work supported by the U.S. Department of Energy Office of Science under Cooperative Agreement DE-SC0000661, the State of Michigan and Michigan State

434 views • 9 slides
Fixing WTFs - Detecting Image Matches caused by Watermarks, Timestamps, and Frames in Internet

Fixing WTFs - Detecting Image Matches caused by Watermarks, Timestamps, and Frames in Internet

Fixing WTFs - Detecting Image Matches caused by Watermarks, Timestamps, and Frames in Internet Photos Tobias Weyand, Chih-Yun Tsai, Bastian Leibe Fixing WTFs Poster No. 26 Overview Many Computer Vision Applications use Internet photos,

818 views • 38 slides
PAST : Probabilistic Authentication of Sensor Timestamps Ashish Gehani SRI 1 INTRODUCTION :

PAST : Probabilistic Authentication of Sensor Timestamps Ashish Gehani SRI 1 INTRODUCTION :

PAST : Probabilistic Authentication of Sensor Timestamps Ashish Gehani SRI 1 INTRODUCTION : What is a sensor? Example sensor: MICA mote Figure 1: Mote in a vineyard 2 INTRODUCTION : What is a sensor network? Sensors measure the

356 views • 21 slides
? sync ref chosen as sync source by Listener Stream B: Presentation Stream C: timestamps

? sync ref chosen as sync source by Listener Stream B: Presentation Stream C: timestamps

Nominal Media Clock: Ts (implicit, not distributed) Stream A: ? sync ref chosen as sync source by Listener Stream B: Presentation Stream C: timestamps Stream D: from different Talkers A-F Stream E: Listener must Stream F: align

57 views • 3 slides
Vector Clocks Collin J. Fidge, 1988. Timestamps in Message-Passing Systems That Preserve the

Vector Clocks Collin J. Fidge, 1988. Timestamps in Message-Passing Systems That Preserve the

Vector Clocks Collin J. Fidge, 1988. Timestamps in Message-Passing Systems That Preserve the Partial Order Order of events without global clock What happens when? event message time process A total order of events Lamport clocks 5 4 4

679 views • 20 slides
C3 B: Exploiting the Num erous C3 B: Exploiting the Num erous Possibilities W eb Technology

C3 B: Exploiting the Num erous C3 B: Exploiting the Num erous Possibilities W eb Technology

C3 B: Exploiting the Num erous C3 B: Exploiting the Num erous Possibilities W eb Technology Offers to Elevate Questions Offers to Elevate Questions Arnaud Wijnant wijnant@uvt.nl Maurice Martens m.g.j.martens@uvt.nl IBUC 2010 Baltimore 11/

403 views • 12 slides
Postmodern strace Dmitry Levin Brussels, 2020 Traditional strace [1/30] Printing instruction

Postmodern strace Dmitry Levin Brussels, 2020 Traditional strace [1/30] Printing instruction

Postmodern strace Dmitry Levin Brussels, 2020 Traditional strace [1/30] Printing instruction pointer and timestamps print instruction pointer: -i option print timestamps: -r , -t , -tt , -ttt , and -T options Size and format of strings string

447 views • 33 slides
Exploiting carbon and nitrogen Exploiting carbon and nitrogen compounds for enhanced energy

Exploiting carbon and nitrogen Exploiting carbon and nitrogen compounds for enhanced energy

Exploiting carbon and nitrogen Exploiting carbon and nitrogen compounds for enhanced energy compounds for enhanced energy and resource recovery and resource recovery Bahareh Kokabian Veera Gnaneswar Gude Civil & Environmental Engineering

514 views • 37 slides
Exploiting Level- Exploiting Level -of of- -Detail Perception Detail Perception Multiple

Exploiting Level- Exploiting Level -of of- -Detail Perception Detail Perception Multiple

Special Course on Networked Virtual February 26, 2004 Environments Exploiting Level- Exploiting Level -of of- -Detail Perception Detail Perception Multiple Multiple- -Channel Architecture Channel Architecture Nearby viewers Nearby

165 views • 5 slides
Exploiting the Power of MIP Solvers in MAXSAT Jessica Davies 1 and Fahiem Bacchus 2 1 MIAT, INRA,

Exploiting the Power of MIP Solvers in MAXSAT Jessica Davies 1 and Fahiem Bacchus 2 1 MIAT, INRA,

Exploiting the Power of MIP Solvers in MAXSAT Jessica Davies 1 and Fahiem Bacchus 2 1 MIAT, INRA, Toulouse, France 2 Department of Computer Science, University of Toronto Outline 1. Background 2. The MaxHS Approach 3. Exploiting CPLEX 4.

630 views • 43 slides
Finding and Exploiting LTL Trajectory Constraints in Heuristic Search Salom e Simon Gabriele

Finding and Exploiting LTL Trajectory Constraints in Heuristic Search Salom e Simon Gabriele

Motivation LTL f in Classical Planning Finding Information Exploiting Information Experiments Conclusion Finding and Exploiting LTL Trajectory Constraints in Heuristic Search Salom e Simon Gabriele R oger University of Basel,

423 views • 28 slides
Exploiting More ILP ILP = __________________ _________________ ________________

Exploiting More ILP ILP = __________________ _________________ ________________

Exploiting More ILP ILP = __________________ _________________ ________________ (parallelism within a single program) How can we exploit more ILP? Slide Set #20: Advanced Pipelining, Multiprocessors, 1. ________________________

448 views • 5 slides
Randomized methods for machine learning David Lopez-Paz, FAIR May 17, 2016

Randomized methods for machine learning David Lopez-Paz, FAIR May 17, 2016

Randomized methods for machine learning David Lopez-Paz, FAIR May 17, 2016 http://tinyurl.com/randomized-practical Some random examples Building atomic bombs Truncated SVD Dimensionality reduction Kernel methods for big data Nonlinear

970 views • 81 slides
To Randomize or Not To Randomize: Space Optimal Summaries for Hyperlink Analysis Tam as

To Randomize or Not To Randomize: Space Optimal Summaries for Hyperlink Analysis Tam as

Fully Personalized PageRank Similarity Search To Randomize or Not To Randomize: Space Optimal Summaries for Hyperlink Analysis Tam as Sarl os, E otv os University and Computer and Automation Institute, Hungarian Academy of

571 views • 22 slides
under Modular Updates Shachar Lovett (UCSD) Kaave Hosseini (UCSD CMU), Grigory Yaroslavtsev

under Modular Updates Shachar Lovett (UCSD) Kaave Hosseini (UCSD CMU), Grigory Yaroslavtsev

Optimality of Linear Sketching under Modular Updates Shachar Lovett (UCSD) Kaave Hosseini (UCSD CMU), Grigory Yaroslavtsev (Indiana) Streaming and sketching Streaming with binary updates Counters 1 , , 2

610 views • 28 slides
How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger,

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger,

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger, Michael Backes, and Wenke Lee Georgia Tech, CISPA, Saarland University, MPI-SWS, DFKI RuntimeASLR 1 What did we do? We re-randomize the memory

833 views • 44 slides
Recommendation on Data Missing Not at Random A Doubly Robust Joint Learning Approach Rating

Recommendation on Data Missing Not at Random A Doubly Robust Joint Learning Approach Rating

Recommendation on Data Missing Not at Random A Doubly Robust Joint Learning Approach Rating Matrix Item 1 Item 2 Item 3 ... Item M User 1 4 ... User 2 2 ... User 3 5 ... 5 ... ... ... ... ... ... User N 2 ... 1 Rating

911 views • 26 slides
On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin

On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin

On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin ANSSI, France 18 April, EUROCRYPT 2012 Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 1 / 28 Introduction Introduction

1.45k views • 117 slides
Computation for Mali licious Adversaries and an Honest Majority Jun Furukawa*, Yehuda Lindell**,

Computation for Mali licious Adversaries and an Honest Majority Jun Furukawa*, Yehuda Lindell**,

Hig igh-Throughput Secure Three-Party Computation for Mali licious Adversaries and an Honest Majority Jun Furukawa*, Yehuda Lindell**, Ariel Nof** and Or Weinstein** *NEC corporation, Israel **Bar-Ilan University, Israel Eurocrypt 2017

699 views • 54 slides
Improved Bounds on the Dot Product under Random Projection and Random Sign Projection Ata Kab

Improved Bounds on the Dot Product under Random Projection and Random Sign Projection Ata Kab

Improved Bounds on the Dot Product under Random Projection and Random Sign Projection Ata Kab an School of Computer Science The University of Birmingham Birmingham B15 2TT, UK http://www.cs.bham.ac.uk/ axk KDD 2015, Sydney, 10-13

280 views • 23 slides

More recommend