Sundials in the Shade

An Internet-Wide Perspective on ICMP Timestamps
  • Erik C. RyeEmail author
  • Robert Beverly
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11419)


ICMP timestamp request and response packets have been standardized for nearly 40 years, but have no modern practical application, having been superseded by NTP. However, ICMP timestamps are not deprecated, suggesting that while hosts must support them, little attention is paid to their implementation and use. In this work, we perform active measurements and find 2.2 million hosts on the Internet responding to ICMP timestamp requests from over 42,500 unique autonomous systems. We develop a methodology to classify timestamp responses, and find 13 distinct classes of behavior. Not only do these behaviors enable a new fingerprinting vector, some behaviors leak important information about the host e.g., OS, kernel version, and local timezone.


Network Time ICMP Fingerprinting Security 



We thank Garrett Wollman, Ram Durairajan, and Dan Andersen for measurement infrastructure, our shepherd Rama Padmanabhan, and the anonymous reviewers for insightful feedback. Views and conclusions are those of the authors and not necessarily those of the U.S. government.


  1. 1.
    Anagnostakis, K.G., Greenwald, M., Ryger, R.S.: cing: Measuring network-internal delays using only existing infrastructure. In: Twenty-Second Annual Joint Conference of the IEEE Computer and Communications, vol. 3, pp. 2112–2121 (2003)Google Scholar
  2. 2.
    Beverly, R., Berger, A.: Server siblings: identifying shared IPv4/IPv6 infrastructure via active fingerprinting. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 149–161. Springer, Cham (2015). Scholar
  3. 3.
    Buchholz, F., Tjaden, B.: A brief study of time. Digit. Invest. 4, 31–42 (2007)CrossRefGoogle Scholar
  4. 4.
    Cristea, M., Groza, B.: Fingerprinting smartphones remotely via ICMP timestamps. IEEE Commun. Lett. 17(6), 1081–1083 (2013)CrossRefGoogle Scholar
  5. 5.
    Cymru, Team: IP to ASN mapping (2008).
  6. 6.
    Desmond, L.C.C., Yuan, C.C., Pheng, T.C., Lee, R.S.: Identifying unique devices through wireless fingerprinting. In: Proceedings of the First ACM Conference on Wireless Network Security, pp. 46–55 (2008)Google Scholar
  7. 7.
    Detal, G., Hesmans, B., Bonaventure, O., Vanaubel, Y., Donnet, B.: Revealing middlebox interference with tracebox. In: ACM SIGCOMM Internet Measurement Conference, pp. 1–8 (2013)Google Scholar
  8. 8.
    Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: USENIX Security, pp. 605–620 (2013)Google Scholar
  9. 9.
    Fan, X., Heidemann, J.: Selecting representative IP addresses for Internet topology studies. In: ACM SIGCOMM Internet Measurement Conference, pp. 411–423 (2010)Google Scholar
  10. 10.
    FreeBSD: FreeBSD Kernel ICMP Code, SVN Head (2018).
  11. 11.
    Internet Engineering Standards Group: Internet Control Message Protocol (ICMP) Parameters (2018).
  12. 12.
    Kohno, T., Broido, A., Claffy, K.C.: Remote physical device fingerprinting. IEEE Trans. Dependable Secure Comput. 2(2), 93–108 (2005)CrossRefGoogle Scholar
  13. 13.
    Linux: Linux Kernel ICMP Code, Git Head (2018).
  14. 14.
    Linux: The Linux Kernel Archives (2018).
  15. 15.
    Lyon, G.: Nmap Security Scanner.
  16. 16.
    Mahajan, R., Spring, N., Wetherall, D., Anderson, T.: User-level internet path diagnosis. ACM SIGOPS Oper. Syst. Rev. 37(5), 106–119 (2003)CrossRefGoogle Scholar
  17. 17.
    MaxMind: GeoLite2 IP Geolocation Databases (2018).
  18. 18.
    Mills, D., Martin, J., Burbank, J., Kasch, W.: Network Time Protocol Version 4: Protocol and Algorithms Specification. RFC 5905 (Proposed Standard), June 2010.
  19. 19.
    Mills, D.: DCNET Internet Clock Service. RFC 778 (Historic), April 1981.
  20. 20.
    MITRE: CVE-1999-0524. Available from MITRE, CVE-ID CVE-1999-0524, August 1999.
  21. 21.
    Postel, J.: Internet Control Message Protocol. RFC 792 (INTERNET STANDARD), September 1981.
  22. 22.
    Rye, E.C.: Sundial ICMP Timestamp Inference Tool (2019).
  23. 23. Internet-Wide Scan Data Repository.
  24. 24.
    Scheitle, Q., Gasser, O., Rouhi, M., Carle, G.: Large-scale classification of IPv6-IPv4 siblings with variable clock skew. In: 2017 Network Traffic Measurement and Analysis Conference (TMA), pp. 1–9. IEEE (2017)Google Scholar

Copyright information

© This is a U.S. government work and not under copyright protection in the United States; foreign copyright protection may apply 2019 2019

Authors and Affiliations

  1. 1.Naval Postgraduate SchoolMontereyUSA

Personalised recommendations