Dec 7 2018
Apr 13 2017
Jan 18 2017
Dec 28 2016
Another LAN/Public wifi fingerprinting attack that Ethan's code can defeat:
Nov 28 2016
Done. Added io limit commits to open pull requests. Each vm can only use a maximum of 25% of the host io resources.
Nov 20 2016
Should limits be enforced for GW too?
Nov 19 2016
HulaHoop added a comment.
Though I agree with anonym's argument that resource exhaustion goes
against the purpose of advanced malware that wants to hide
Though I agree with anonym's argument that resource exhaustion goes against the purpose of advanced malware that wants to hide - I still looked at io limits in case you still think its valuable to set.
Nov 12 2016
HulaHoop added a comment.There's a problem with setting this. SSD vs HDD io throughput is very different. What is reasonable for one will be excessive or too low for the other.
There's a problem with setting this. SSD vs HDD io throughput is very different. What is reasonable for one will be excessive or too low for the other.
Nov 11 2016
Oct 11 2016
Looks like I overlooked python3-netfilterqueue-packager.
Sep 8 2016
I've now added Debian packaging support to the actual filter. Both packages install correctly and work well.
Sep 6 2016
Sep 2 2016
I've created some bash scripts to create a Debian package for kti/python-netfilterqueue. They're available in this GitHub repository, and I've uploaded a version of the package created on my Debian Jessie system here. There are still a few issues I'll be resolving in the coming days, including the lack of a source package, but it's overall completely functional.
Aug 24 2016
First off, this would likely better be discussed directly on T543, as it's largely unrelated to ping latency covert channels.
The Debian package you mentioned is actually a completely different library serving the same purpose. I'll probably end up porting my code over to use that
Aug 23 2016
If the attacker's goal is to judge clock skew (which can get to be tens of milliseconds), then it's completely practical
Aug 22 2016
Could it be replaced with the Debian package python-nfqueue? Is it the same?
Aug 19 2016
The following is an issue for us. (Since upgrades come outside of apt-get which makes it hard to keep it up to date for users as linux distribution maintainer. Package manager security and whatnot.)
Thanks for researching this and contributing a fix.
Aug 18 2016
Could you please post (and license Open Source) your fix to github? @ethanwhite
Aug 10 2016
Would it be correct to say that the fix developed also defends against the earlier attack described by Steven Murdoch?
Aug 9 2016
Would it be correct to say that the fix developed also defends against the earlier attack described by Steven Murdoch? - Therefore closing up this entire class of threats.
Aug 8 2016
We would like your feedback on the TCP ISN attack/mitigation info (or on the covert channel attack in general) on the wiki page.
Aug 7 2016
I'm not aware of any other issues. Performance seems to be decent as well; although this obviously increases the average latency, it can easily handle 10mbps of traffic.
Aug 6 2016
Can you please implement the same protections for IPv6/ICMP6 if its not too much work.
Aug 5 2016
Can you please implement the same protections for IPv6/ICMP6 if its not too much work. We plan to roll out the package for Whonix hosts (to end this attack for other VMs besides Whonix) where some users may have no choice but to connect with IPv6 because of their ISP.
Here I found an example of someone using libnetfilter_queue to manipulate ICMP packet timing. Though their goal is different - they embed covert patterns while we are preventing them. 
Aug 4 2016
After looking at the netem documentation I'm pretty sure there is something here we can use.
Aug 3 2016
Here is someone using tc (traffic control)  and netem  to delay packets in a queue. It can be applied to all traffic 
Another way to delay packets is using the libnetfilter_queue interface. 
it is definitely possible to disable c-states as a guest operating system
Jun 7 2015
virsh can set disk activity limits per vm:
May 25 2015
For CPU, setting the Linux scheduler to the Nice level for a VM process can limit effect of CPU DoS. Using cgroups, virtual machines can also be restricted to CPU limits which supports the prevention of denial of service.