Advertisement

Sundials in the Shade

An Internet-Wide Perspective on ICMP Timestamps
  • Erik C. RyeEmail author
  • Robert Beverly
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11419)

Abstract

ICMP timestamp request and response packets have been standardized for nearly 40 years, but have no modern practical application, having been superseded by NTP. However, ICMP timestamps are not deprecated, suggesting that while hosts must support them, little attention is paid to their implementation and use. In this work, we perform active measurements and find 2.2 million hosts on the Internet responding to ICMP timestamp requests from over 42,500 unique autonomous systems. We develop a methodology to classify timestamp responses, and find 13 distinct classes of behavior. Not only do these behaviors enable a new fingerprinting vector, some behaviors leak important information about the host e.g., OS, kernel version, and local timezone.

Keywords

Network Time ICMP Fingerprinting Security 

Notes

Acknowledgments

We thank Garrett Wollman, Ram Durairajan, and Dan Andersen for measurement infrastructure, our shepherd Rama Padmanabhan, and the anonymous reviewers for insightful feedback. Views and conclusions are those of the authors and not necessarily those of the U.S. government.

References

  1. 1.
    Anagnostakis, K.G., Greenwald, M., Ryger, R.S.: cing: Measuring network-internal delays using only existing infrastructure. In: Twenty-Second Annual Joint Conference of the IEEE Computer and Communications, vol. 3, pp. 2112–2121 (2003)Google Scholar
  2. 2.
    Beverly, R., Berger, A.: Server siblings: identifying shared IPv4/IPv6 infrastructure via active fingerprinting. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 149–161. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-15509-8_12CrossRefGoogle Scholar
  3. 3.
    Buchholz, F., Tjaden, B.: A brief study of time. Digit. Invest. 4, 31–42 (2007)CrossRefGoogle Scholar
  4. 4.
    Cristea, M., Groza, B.: Fingerprinting smartphones remotely via ICMP timestamps. IEEE Commun. Lett. 17(6), 1081–1083 (2013)CrossRefGoogle Scholar
  5. 5.
    Cymru, Team: IP to ASN mapping (2008). https://www.team-cymru.org/IP-ASN-mapping.html
  6. 6.
    Desmond, L.C.C., Yuan, C.C., Pheng, T.C., Lee, R.S.: Identifying unique devices through wireless fingerprinting. In: Proceedings of the First ACM Conference on Wireless Network Security, pp. 46–55 (2008)Google Scholar
  7. 7.
    Detal, G., Hesmans, B., Bonaventure, O., Vanaubel, Y., Donnet, B.: Revealing middlebox interference with tracebox. In: ACM SIGCOMM Internet Measurement Conference, pp. 1–8 (2013)Google Scholar
  8. 8.
    Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: USENIX Security, pp. 605–620 (2013)Google Scholar
  9. 9.
    Fan, X., Heidemann, J.: Selecting representative IP addresses for Internet topology studies. In: ACM SIGCOMM Internet Measurement Conference, pp. 411–423 (2010)Google Scholar
  10. 10.
    FreeBSD: FreeBSD Kernel ICMP Code, SVN Head (2018). https://svnweb.freebsd.org/base/head/sys/netinet/ip_icmp.c?revision=336677
  11. 11.
    Internet Engineering Standards Group: Internet Control Message Protocol (ICMP) Parameters (2018). https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
  12. 12.
    Kohno, T., Broido, A., Claffy, K.C.: Remote physical device fingerprinting. IEEE Trans. Dependable Secure Comput. 2(2), 93–108 (2005)CrossRefGoogle Scholar
  13. 13.
    Linux: Linux Kernel ICMP Code, Git Head (2018). https://github.com/torvalds/linux/blob/master/net/ipv4/icmp.c
  14. 14.
    Linux: The Linux Kernel Archives (2018). https://www.kernel.org/
  15. 15.
    Lyon, G.: Nmap Security Scanner. https://nmap.org
  16. 16.
    Mahajan, R., Spring, N., Wetherall, D., Anderson, T.: User-level internet path diagnosis. ACM SIGOPS Oper. Syst. Rev. 37(5), 106–119 (2003)CrossRefGoogle Scholar
  17. 17.
    MaxMind: GeoLite2 IP Geolocation Databases (2018). https://dev.maxmind.com/geoip/geoip2/geolite2/
  18. 18.
    Mills, D., Martin, J., Burbank, J., Kasch, W.: Network Time Protocol Version 4: Protocol and Algorithms Specification. RFC 5905 (Proposed Standard), June 2010. http://www.ietf.org/rfc/rfc5905.txt
  19. 19.
    Mills, D.: DCNET Internet Clock Service. RFC 778 (Historic), April 1981. http://www.ietf.org/rfc/rfc778.txt
  20. 20.
    MITRE: CVE-1999-0524. Available from MITRE, CVE-ID CVE-1999-0524, August 1999. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0524
  21. 21.
    Postel, J.: Internet Control Message Protocol. RFC 792 (INTERNET STANDARD), September 1981. http://www.ietf.org/rfc/rfc792.txt
  22. 22.
    Rye, E.C.: Sundial ICMP Timestamp Inference Tool (2019). https://www.cmand.org/sundial
  23. 23.
    Scans.io: Internet-Wide Scan Data Repository. https://scans.io
  24. 24.
    Scheitle, Q., Gasser, O., Rouhi, M., Carle, G.: Large-scale classification of IPv6-IPv4 siblings with variable clock skew. In: 2017 Network Traffic Measurement and Analysis Conference (TMA), pp. 1–9. IEEE (2017)Google Scholar

Copyright information

© This is a U.S. government work and not under copyright protection in the United States; foreign copyright protection may apply 2019 2019

Authors and Affiliations

  1. 1.Naval Postgraduate SchoolMontereyUSA

Personalised recommendations