Fingerprinting Violating Machines with TCP Timestamps

Cyber crime has increased as a side effect of the dramatic growth in Internet deployment. Identifying machines that are responsible about crimes is a vital step in an attack investigation. Tracking the IP address of the attacker to its origin is indispensable. However, apart from finding the attacker's (possible) machine, it is inevitable to provide supportive proofs to bind the attack to the attacker's machine, rather than depending solely on the IP address of the attacker, which can be dynamic. This paper proposes to implant such supportive proofs by utilizing the timestamps in the TCP header. Our results show that unique timestamps can be recovered in target machines. In addition, because a violator is unaware of (and has no control over) the internals of the TCP, the investigation process is empowered with stealth. To the best of our knowledge, we are the first to utilize protocol remnants in fingerprinting violating machines.