TR-14-03: On the Evasion of Delay-Based IP Geolocation

Abstract

We explain a newly found vulnerability that allows circumvention of commonly used delay-based geolocation techniques that use ping or traceroute to sample delays. Attacks may leverage the echo request/reply type of the ICMP protocol. ICMP?s echo request/reply protocol does not specify a mechanism to measure the delays between network nodes. Consequently, different implementations exist on different platforms to achieve this functionality. Other work in literature presented an adversary that can only increase the round trip times by delaying the echo reply messages. However, as we explain, current implementations of ping and traceroute also allow an adversary to decrease the round trip time, enabling it to evade delay-based geolocation techniques with high accuracy. We evaluate the effect of this attack on two delay-based techniques, and analyze an adversary?s evasion capabilities, given its ability to also decrease the observed delays between itself and the set of landmarks conducting the geolocation process.

TR-14-03.pdf