How and where to check anonymity, we have collected services that check anonymity. Useful services to check anonymity.
2179 
In this section you will learn what Time Attack is. Using an example, we will analyze how an attacker can detect vulnerabilities in the security of a computer or the Internet. You will learn what this security exploit is. This topic is not well covered on the Internet, and even more so objectively, now we will understand what it is and how it works in simple language with examples. We beat the situation in which you are an employee of the special service, and your task is to find out a particularly dangerous criminal who is engaged in blackmail and periodically appears on the network and only for data transmission. We will show a service that helps to check whether an IP address was used as a node for transmitting traffic to Tor; We will tell you how to check whether the TOR browser is configured to work; How to check if a person is using a proxy, VPN or TOR; What can get in the way of a timing attack? How to protect against Time Attack; You will learn how to secure your messenger below in the article; We will also consider examples of Time Attack vectors; Clock Leak Attack; Protection against clock leakage vector; Counter-measures of an attack on receiving TCP ISN CPU information; TCP timestamps (TCP timestamp), kernel sysctl; iptables for limiting (blocking) incoming ICMP messages and traffic; How to remove timer output function from Linux TCP ISN code After reading this article, you will have an understanding of what Time Attack is and what it is and how to protect against Time Attack. If your messenger can hide your status information, use this information for your safety.
A timing attack is a security exploit that allows an attacker to discover vulnerabilities in the security of a computer or network system by learning how long it takes the system to respond to various inputs. The timing characteristics will vary depending on the encryption key, as different systems take slightly different amounts of time to process different inputs. Variables include performance optimizations, branching and conditional statements, processor instructions, RAM, and cache access. A timing attack looks at how long it takes the system to do something and uses statistical analysis to find the correct decryption key and gain access.
We know that the target that needs to be de-anonymized connected on 04/11/2022 at 11:07 AM and disconnected at 12:30 PM. At these time points (+/- 5 minutes) near the country, 3000 people connected and disconnected from the Tor network. We take those 3000 and see who reconnected at 14:17 and disconnected at 16:54, how many people do you think will be left? Yes, step by step, the circle narrows, and as a result, you will be able to determine the place of exit to the network of your victim or criminal. The more often he enters the network and the fewer other users at that time, the faster the timing attack will work.
Now you have a log of his activity for several days in your hands, it’s time to use the ORM (operational and search measures) system. Similar systems are at the disposal of the special services of most countries, in Russia it is SORM. You need to find out who was connected to the Tor network in your country during this time frame of +/- 5 minutes. We know that the target that needs to be de-anonymized connected on 04/11/2022 at 11:07 AM and disconnected at 12:30 PM. At these time points (+/- 5 minutes) near the country, 3000 people connected and disconnected from the Tor network. We take those 3000 and see who reconnected at 14:17 and disconnected at 16:54, how many people do you think will be left? Yes, step by step, the circle narrows, and as a result, you will be able to determine the place of exit to the network of your victim or criminal. The more often he enters the network and the fewer other users at that time, the faster the timing attack will work.
Перевіряє чи використовувалась IP-адреса як вузол у мережу лукоподібних.
The constant change of network exit points makes such an attack pointless. If the target periodically changes exit points, this can make the search more difficult, but is an acceptable option in advance and is not likely to confuse the system.
I hope our reader is not a wanted criminal and won’t have to wander from one cafe with public Wi-Fi to another. However, the second tip against a timing attack should be used by everyone. It is about turning off status transmission at the messenger level or setting a permanent “offline” status. Most messengers provide one of these options. As for thematic forums, the logic is the same.
If your messenger can hide your status information, hide it.
An additional tool to protect against a timing attack can be to stop enabling the messenger along with connecting to the network. As you can understand from the description of the attack, the time of entering/exiting the network and appearing in communication/going offline in the messenger is checked. With the forums, you made an entry/exit in advance, thereby avoiding a timing attack.
An error is allowed, but it should be very large. If the target of the attack connects to Tor and launches the messenger in just an hour, it will be very difficult to connect the network login and the status in the messenger, similarly to the forum.
Any analysis, gathering of information in Osint is logic, never forget it!
ICMP Timestamps
NTP Clients
TCP Initial Sequence Numbers (ISNs)
TCP Timestamps
Application-level Traffic
Denial of Service
Locating Onion Services
Remote Code Execution
Remote Device Fingerprinting
Replay Attacks
For details on time synchronization mechanisms, there is a material in whonix (click here). The most interesting thing is that there is protection against it, we will go on about it. sdwdate is mostly used to fight. Read more here. in connection with software that moves the clock several seconds and nanoseconds into the past or future during boot time (boot time) in a random (not infrequently pseudo-random) manner or otherwise called Boot Clock Randomization, although sdwdate performs a similar function (in to some extent). In this way, you can confidently protect yourself from removing the time-base fingerprint and from setting the connection time, which I wrote above. The main thing is to use sdwdate (which also randomizes the system clock), by the way, it will be much safer than using programs to synchronize and set the system time:
But, as practice has shown, sdwdate can incorrectly randomize the clock, so it is better to use in connection with the above
bootclockrandomization https://github.com/Whonix/bootclockrandomization
Tirdad https://github.com/Whonix/tirdad
Also better:
disable TCP timestamp using kernel sysctl
don’t forget to work with iptables to restrict (block) incoming ICMP messages and traffic.
remove the output timer function from the Linux code TCP ISN (above cited tirdad, but you can handle)
So, in principle, it is possible to defend against Time Attack, and successfully, only a lot will depend on your vigilance, the desire to dig into the technical documentation of the tools above, to dig into the general stuff related to time synchronization, attacks and countermeasures. And in the end, this will be considered one of the last arrays of vectors of attacks that will be used to establish identity after the events in which you will be accused (which will attack and cause any damage, in the case of an attempted crime is rarely used) . And of course in terms of your IS plays a big role in choosing the operating system, of course if you’re on windows or MacOS – everything is bad.
All these tools and add-ons are already in whonix (https://www.whonix.org/) and QubeOs (https://www.qubes-os.org/). We have analyzed both the vectors of attacks and the possibility of defense, and most importantly you understand the logic of this vector of attack.
2179 
1998 
1617