Via Slashdot: A San Diego research team has developed a method for extracting information about a machine from the timestamps contained in the TCP packets it sends. In summary:
- Machines will include timestamps in each TCP packet as an option (RFC 1323: TCP Extensions for High Performance) which for most machines is negotiated by default.
- Windows machines don't negotiate this option by default in their intial SYN, but will turn it on if the SYN/ACK sets it (breaking the RFC protocol deliberately).
- By comparing the TCP timestamps to a local clock, and allowing for network latency and other factors, you can obtain a fairly accurate estimate of the remote machine's clock skew (how the clock drifts over time), expressed in µs/s.
- A given machine has a constant clock skew, and different machines have different clock skews.
- Synchronising the machine's system time (e.g. by NTP) doesn't help, because the TCP timestamp clock is separate from the system clock (TCP makes very few demands about how the TCP timestamp needs to follow actual time).
This clock skew estimation technique works with any protocol that leaks clock information, not just TCP. It doesn't provide a positive identification on its own (there are millions of machines on the Internet, many of them have identical clock skews within measurable limits). It can provide a negative result though: one can say that two traces with different clock skews belong to two different machines. There are applications in honeypot detection and counting machines behind NATs that the paper mentions.