Okay, so my last post on timing precision was interesting, but then I went back and started doing more thinking and I found a few ways to get even better precision out of a typical timing attack. Let’s look at a real world HTTP request and response:
Packet: 1, Time: 0.000000 DNS Query (outbound)
Packet: 2, Time: 0.101079 DNS Response (inbound)
Packet: 3, Time: 0.103195 SYN (outbound)
Packet: 4, Time: 0.147479 SYN+ACK (inbound)
Packet: 5, Time: 0.147536 ACK (outbound)
Packet: 6, Time: 0.147801 HTTP request (outbound)
Packet: 7, Time: 0.327528 ACK (inbound)
Packet: 8, Time: 0.825132 TCP segment HTTP response (inbound)
Packet: 9, Time: 0.826323 HTTP Response (inbound)
Packet: 10, Time: 0.826416 ACK (outbound)
Now normally a timing attack would encompass this entire mess, but really we are only interested in a few time slices. We can completely disregard the DNS request and indeed up until the seventh packet, which is the acknowledgment that the packet was received (when we know that our packet has arrived and is in the process of being served up). That right there shaves 1/3 of a second off of my example (this was a real example, btw).
And again, when we are receiving the response, we don’t actually care about the last two packets, only the 8th packet (the returned data). The difference between packet 7 and 8 is what we are actually interested in. By combining this technique with the previous one about finding the exact time the packet arrived by calculating the precision you can identify exactly when the 6th packet arrived, and not just when you got your ACK in the 7th packet. The ACK is important but it gives you a slightly skewed result since it is a timestamp based on when you received it and not based upon when it was sent, unlike the Date: HTTP header that you receive in the 8th packet.
If you don’t look at the packet level information you are introducing up to 1/3rd of a second out of only .826 seconds on the first request, and still a few extra milliseconds extra even if you discount the DNS request. Point being there are certainly some enhancements to be made to the old timing attacks of yesteryear. Looks like a tool waiting to be made…