UDP Traffic Fingerprinting Attack

Will add to:

All UDP traffic can be fingerprinted and linked to the same kernel/machine for its runtime duration. The key is reset on restart.

This does into apply to TCP traffic and therefore stuff over Tor.

The net namespace of the kernel context is included in the hash calculation that is used the IP ID field of UDP packets. Since 4.1 CONFIG_NET_NS. Works in the wild. Applies.to Android.

Mitigations need changes to the kernel code itself. Yet

“From IP ID to Device ID and KASLR Bypass (Extended Version)”

1 Like

Link to the paper: https://www.usenix.org/system/files/sec19-klein.pdf

It seems to be fixed now by randomizing the IDs https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=355b98553789b646ed97ad801a619ff898471b92

Edit: the fix seems to have been backported to Debian kernels already https://lists.debian.org/debian-lts-announce/2019/07/msg00022.html

1 Like

Great saves me a lot of work and now I need to update my VMs

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]