Time Attack myths and reality.

Time Attack

In this section you will learn what Time Attack is. Using an example, we will analyze how an attacker can detect vulnerabilities in the security of a computer or the Internet. You will learn what this security exploit is. This topic is not well covered on the Internet, and even more so objectively, now we will understand what it is and how it works in simple language with examples. We beat the situation in which you are an employee of the special service, and your task is to find out a particularly dangerous criminal who is engaged in blackmail and periodically appears on the network and only for data transmission. We will show a service that helps to check whether an IP address was used as a node for transmitting traffic to Tor; We will tell you how to check whether the TOR browser is configured to work; How to check if a person is using a proxy, VPN or TOR; What can get in the way of a timing attack? How to protect against Time Attack; You will learn how to secure your messenger below in the article; We will also consider examples of Time Attack vectors; Clock Leak Attack; Protection against clock leakage vector; Counter-measures of an attack on receiving TCP ISN CPU information; TCP timestamps (TCP timestamp), kernel sysctl; iptables for limiting (blocking) incoming ICMP messages and traffic; How to remove timer output function from Linux TCP ISN code After reading this article, you will have an understanding of what Time Attack is and what it is and how to protect against Time Attack. If your messenger can hide your status information, use this information for your safety.

We know that the target that needs to be de-anonymized connected on 04/11/2022 at 11:07 AM and disconnected at 12:30 PM. At these time points (+/- 5 minutes) near the country, 3000 people connected and disconnected from the Tor network. We take those 3000 and see who reconnected at 14:17 and disconnected at 16:54, how many people do you think will be left? Yes, step by step, the circle narrows, and as a result, you will be able to determine the place of exit to the network of your victim or criminal. The more often he enters the network and the fewer other users at that time, the faster the timing attack will work.

Now you have a log of his activity for several days in your hands, it’s time to use the ORM (operational and search measures) system. Similar systems are at the disposal of the special services of most countries, in Russia it is SORM. You need to find out who was connected to the Tor network in your country during this time frame of +/- 5 minutes. We know that the target that needs to be de-anonymized connected on 04/11/2022 at 11:07 AM and disconnected at 12:30 PM. At these time points (+/- 5 minutes) near the country, 3000 people connected and disconnected from the Tor network. We take those 3000 and see who reconnected at 14:17 and disconnected at 16:54, how many people do you think will be left? Yes, step by step, the circle narrows, and as a result, you will be able to determine the place of exit to the network of your victim or criminal. The more often he enters the network and the fewer other users at that time, the faster the timing attack will work.

Examples

(Українська)

Що може стати на заваді проведенню таймінг-атаки

• Постійна зміна точок виходу в мережу робить подібну атаку безглуздою. Якщо мета періодично змінює точки виходу, це може утруднити пошук, але є заздалегідь допустимим варіантом і не здатне заплутати систему.
• Сподіваюся, що наш читач не відносится до злочинців, що розшукуються, і йому не доведеться кочувати з одного кафе з публічним Wi-Fi в інше. Однак другою порадою проти таймінг-атаки варто скористатися кожному. Йдеться про відключення на рівні месенджера передачі про статус чи встановлення постійного статусу «офлайн». Більшість месенджерів надають одну з таких можливостей. Що стосується тематичних форумів логіка така сама.

Якщо у вашому месенджері можна приховати дані про ваш статус, приховайте цю інформацію.

• Додатковим інструментом захисту від таймінг-атаки може стати припинення увімкнення месенджера разом із підключенням до мережі. Як ви можете зрозуміти з опису атаки, звіряється час входу/виходу в мережу та поява на зв’язку/вихід в офлайн у месенджері. З форумами ви зробили заздалегідь вхід/вихід, тим самим уникли таймінг-атаки.
• Допускається похибка, але вона має бути дуже великою. Якщо ціль атаки підключиться до Tor і лише за годину запустить месенджер, дуже складно буде зв’язати вхід у мережу і статус у месенджері, аналогічно і в форумі.

Будь-який аналіз, збирання інформації в Osint – це логіка не забувайте про це ні коли!

(Українська)

Також є вектор витоку годин
(Clock Leak Attack)

(Українська)

Приклади

Protection against clock leakage vectors

For details on time synchronization mechanisms, there is a material in whonix (click here). The most interesting thing is that there is protection against it, we will go on about it. sdwdate is mostly used to fight. Read more here. in connection with software that moves the clock several seconds and nanoseconds into the past or future during boot time (boot time) in a random (not infrequently pseudo-random) manner or otherwise called Boot Clock Randomization, although sdwdate performs a similar function (in to some extent). In this way, you can confidently protect yourself from removing the time-base fingerprint and from setting the connection time, which I wrote above. The main thing is to use sdwdate (which also randomizes the system clock), by the way, it will be much safer than using programs to synchronize and set the system time:

• rdate (https://linux.die.net/man/1/rdate)

• ntpdate (https://linux.die.net/man/8/ntpdate)

But, as practice has shown, sdwdate can incorrectly randomize the clock, so it is better to use in connection with the above

• bootclockrandomization (https://github.com/Whonix/bootclockrandomization)

Counter-measures of attacks on receiving TCP, ISN, CPU information have been developed

Tirdad (https://github.com/Whonix/tirdad)

Also better:

• disable TCP timestamp using kernel sysctl
• don’t forget to work with iptables to restrict (block) incoming ICMP messages and traffic.
• remove the output timer function from the Linux code TCP ISN (above cited tirdad, but you can handle)

So, in principle, it is possible to defend against Time Attack, and successfully, only a lot will depend on your vigilance, the desire to dig into the technical documentation of the tools above, to dig into the general stuff related to time synchronization, attacks and countermeasures. And in the end, this will be considered one of the last arrays of vectors of attacks that will be used to establish identity after the events in which you will be accused (which will attack and cause any damage, in the case of an attempted crime is rarely used) . And of course in terms of your IS plays a big role in choosing the operating system, of course if you’re on windows or MacOS – everything is bad.

All these tools and add-ons are already in whonix (https://www.whonix.org/) and QubeOs (https://www.qubes-os.org/).
We have analyzed both the vectors of attacks and the possibility of defense, and most importantly you understand the logic of this vector of attack.