Wed, Aug 12
After running a bunch of tcp ping tests, the conclusion is this attack
is not really effective against TCP like ICMP. The latency is much lower
for TCP pings and though it slightly decreases with cpu stress it is not
consistent. Reloading pages in TBB with cpu stress
on/off does not impact latency readings while doing so with tc
attached has massive latency foot prints - implying it will ironically make such attacks much easier in addition to degrading performance.
Fri, Aug 7
Cyrus recommends adding delays per packet to disrupt inter-packet patterns that remain. The command can be fine tuned as such:
Sat, Aug 1
The good news is I think I've figured out the equivalent tc-netem command looking the slot parameter in the manual:
May 30 2020
Ticket above closed and convo moved to tails-dev.
Dec 23 2019
We should be able to create a drop-in file at /lib/systemd/system/user-.slice.d/ and add something such as
Dec 22 2019
Oct 15 2019
Oct 13 2019
Analysis by Cyrus cited here for completion:
Oct 6 2019
Reported build failures:
When an implementation is decided, let's decide if we can include this in security-misc for use on Linux hosts and Kicksecure. We would need some way in detecting the active NIC since on wireless systems wlan0 is the interface of choice and not eth0
tc-netem is a utility that is part of the iproute2 package in Debian. It leverages functionality already built into Linux and userspace utilities to simulate networks including packet delays and loss.
Dec 7 2018
Apr 13 2017
Jan 18 2017
Dec 28 2016
Another LAN/Public wifi fingerprinting attack that Ethan's code can defeat:
Nov 28 2016
Done. Added io limit commits to open pull requests. Each vm can only use a maximum of 25% of the host io resources.
Nov 20 2016
Should limits be enforced for GW too?
Nov 19 2016
HulaHoop added a comment.
Though I agree with anonym's argument that resource exhaustion goes
against the purpose of advanced malware that wants to hide
Though I agree with anonym's argument that resource exhaustion goes against the purpose of advanced malware that wants to hide - I still looked at io limits in case you still think its valuable to set.
Nov 12 2016
HulaHoop added a comment.There's a problem with setting this. SSD vs HDD io throughput is very different. What is reasonable for one will be excessive or too low for the other.
There's a problem with setting this. SSD vs HDD io throughput is very different. What is reasonable for one will be excessive or too low for the other.
Nov 11 2016
Oct 11 2016
Looks like I overlooked python3-netfilterqueue-packager.
Sep 8 2016
I've now added Debian packaging support to the actual filter. Both packages install correctly and work well.
Sep 6 2016
Sep 2 2016
I've created some bash scripts to create a Debian package for kti/python-netfilterqueue. They're available in this GitHub repository, and I've uploaded a version of the package created on my Debian Jessie system here. There are still a few issues I'll be resolving in the coming days, including the lack of a source package, but it's overall completely functional.
Aug 24 2016
First off, this would likely better be discussed directly on T543, as it's largely unrelated to ping latency covert channels.
The Debian package you mentioned is actually a completely different library serving the same purpose. I'll probably end up porting my code over to use that
Aug 23 2016
If the attacker's goal is to judge clock skew (which can get to be tens of milliseconds), then it's completely practical
Aug 22 2016
Could it be replaced with the Debian package python-nfqueue? Is it the same?
Aug 19 2016
The following is an issue for us. (Since upgrades come outside of apt-get which makes it hard to keep it up to date for users as linux distribution maintainer. Package manager security and whatnot.)
Thanks for researching this and contributing a fix.
Aug 18 2016
Could you please post (and license Open Source) your fix to github? @ethanwhite
Aug 10 2016
Would it be correct to say that the fix developed also defends against the earlier attack described by Steven Murdoch?
Aug 9 2016
Would it be correct to say that the fix developed also defends against the earlier attack described by Steven Murdoch? - Therefore closing up this entire class of threats.
Aug 8 2016
We would like your feedback on the TCP ISN attack/mitigation info (or on the covert channel attack in general) on the wiki page.
Aug 7 2016
I'm not aware of any other issues. Performance seems to be decent as well; although this obviously increases the average latency, it can easily handle 10mbps of traffic.
Aug 6 2016
Can you please implement the same protections for IPv6/ICMP6 if its not too much work.
Aug 5 2016
Can you please implement the same protections for IPv6/ICMP6 if its not too much work. We plan to roll out the package for Whonix hosts (to end this attack for other VMs besides Whonix) where some users may have no choice but to connect with IPv6 because of their ISP.
Here I found an example of someone using libnetfilter_queue to manipulate ICMP packet timing. Though their goal is different - they embed covert patterns while we are preventing them.