High-resolution network monitoring with ping
Future
Measuring network latency with Ping shows that there is still some potential that has amazingly remained unused thus far. Attacks, such as sniffing mobile phone calls by means of intermediate IMSI catchers would thus be easily and unobtrusively detectable, practically free of charge, even if other tools such as traceroute
cannot find them. Additionally, you can use pings to perform rough localization or determine cable length. To measure the dependence of RTT on the packet length, a distinction can be made between latency caused by cables or distances and that caused by devices, such as different switches.
In principle, attackers can also manipulate pings by copying and returning them with the desired latency or by filtering out the pong from the target machine to disguise themselves. This makes little sense, however, because copying, computing, and returning requires extra effort, and it is also virtually impossible to manipulate all potential ping types.
If you want to add protection against counterfeiting, you could ping with an encrypted timestamp. On the target machine, you would store the encrypted date and time in the foo.bar
file, transmit these values with a ping, such as
time wget ftp://10.45.67.89/tmp/foo.bar
and check to see whether it has been encrypted with the correct key and contains the current time.
Electric Data
Electrical data would be desirable as well; the network admin can often use this to track down passive sniffing or more precisely locate wire breaks. Only a small number of network devices support this, and only a few cards with the Marvell chip can deliver electrical data with the use of special software like the Marvell Virtual Cable Tester; the output is not very detailed, but of the type good (link established), mismatch (impedance mismatch), or wire break in n metres (accurate to about 1 meter).
The 3Com Advanced Server Control Suite for network cards, such as the 3Com 3C996B, gives you more. With the frequency dependence of cable attenuation and return loss, you can demonstrate minor manipulations retroactively, such as swapping a cable for another of the same length, but with different properties.
Comment
Basing monitoring on ping times is without a doubt an original idea, and the idea will probably work – in the laboratory. In practice, though, a few obstacles seem to exist that certainly cannot be easily avoided. What are these?
The fluctuations in the ping round trip time for pinging servers with different load levels can be quite a bit larger than the run-time differences (e.g., which a rogue router would cause). This would lead to false positives – unless the trigger threshold value was set so high that you could not detect any anomalies.
The author suggests computing the average server load, but in a sense, this takes you from the frying pan to the fire: You then subtract another mean value (i.e., the daily mean load curve characteristic) from the artificially smoothed RTT (a kind of mean value). However, each mean value destroys information – in this case, because the variance is also squashed. This results in a highly idealized and far too narrow value corridor that does not accurately reflect the potential manifestations and, with its several decimal digits of timing values, pretends to have an accuracy that is not actually justified.
There is one more thing. The ICMP ping test utility not only reveals whether a network device at a specific address is reachable, but it also allows a kind of fingerprinting, which, for example, allows conclusions to be drawn about the operating system. It thus provides valuable information to potential attackers. Administrators who do not want to reveal this will tend to ban ICMP echo replies with a firewall rule, which would also rule out the kind of monitoring described in this article.
– Jens-Christoph Brendel, Medialinx AG editor
Author's Response
To calculate latencies caused by the CPU load, network load, and perhaps other sources, the subtraction must be done with current values. Therefore, for the 1,000s RTT value, the 1,000s value for additional latency must be used in the subtraction to calculate the net RTT value.
Of course, this is not perfect, but it's a good approximation and gives good accuracy. Pinger is a successful proof of concept and is just the start of high-resolution pinging by software only, without the need for special hardware.
Infos
- Linux iputils: http://www.skbuff.net/iputils/
- Arping: http://www.habets.pp.se/synscan/programs.php?prog=arping
- httping: http://www.vanheusden.com/httping
- ipmiping: http://www.gnu.org/software/freeipmi/
- Pinger and plotting script: https://sslsites.de/www.true-random.com/homepage/projects/pinger/
- MRTG: http://oss.oetiker.ch/mrtg/
- "Lokalisierung durch Messung von WLAN-Signallaufzeiten" [Localization by measuring the WiFi signal run times] by Mario Haustein. Linux-Tage 2011, http://chemnitzer.linux-tage.de/2011/vortraege/653 (in German)
« Previous 1 2 3 4 5
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.