GitLab

TCP Sequence Numbers seem to be one more way to leak the host clock on GNU/Linux systems. Its the last major vector in the literature thats not addressed yet.[1] The kernel embeds the system time in microseconds in TCP connections. Some opinions say the TCP ISNs are salted hashes and can't be abused but my impression from Steve Murdoch's papers are that its feasible and already carried out in his tests. [2][3]

There is no sysctl option to disable it and it must be patched upstream [4][5]

Nick has done exceptional work to get OpenSSL upstream to throw out mandatory timestamping in the protocol. TAILS and Whonix disable TCP Timestamps in the kernel sysctl. TCP Timestamps are a different vector from TCP ISNs discussed here - it would be great if upstream kernel disables this as well so all distros have it.

[1]https://www.cl.cam.ac.uk/~sjm217/papers/ccs06hotornot.pdf [2]http://caia.swin.edu.au/talks/CAIA-TALK-080728A.pdf [3]http://www.cl.cam.ac.uk/~sjm217/papers/ih05coverttcp.pdf [4]https://stackoverflow.com/a/12232126 [5]http://lxr.free-electrons.com/source/net/core/secure_seq.c?v=3.16

Trac:
Username: source