liarsping - Faking ping times for fun and (no) profit
In my ongoing quest to resurrect and finish abandoned projects, I present liarsping…
According to man ping, ping first appeared in 4.3BSD which was released in 1986. It’s main use (for me at least) is to see if a remote machine is reachable, with the secondary goal of seeing how far away that machine is in ters of latency. It’s the second goal I’m going to mess with here.
There seem to be two different ways used to calculate the round trip latency in a ping. The first (used by linux and Mac OS) is to encode the current timestamp into the outgoing ICMP ECHO packet, then when it comes back, calculate the difference between the current system time and the timestamp in the returned packet. The second (used by Windows) is to store locally the timestamp of the outgoing ping message against an ID, send the sequence number and then look up the send timestamp when the reply comes back. Windows uses a monotonically increasing sequence number for the ID.
Both of these systems can be gamed by a naughty ICMP ECHO server to return not just bigger ping times (add a delay in responding, not very interesting), but also a smaller ping time.
Linux
This is pretty trivial - add some time onto the timestamp before echoing it back. The client doesn’t validate anything, so if you add 10ms, the client will report a 10ms shorter ping time. Most linux servers are synced to an NTP server, so the clock time on the client and server will likely be very close. This additionally allows us to make a good guess at the real latency from the server side, and knock off the right ammount of latency to achieve whatever number we want the client to see.
Windows
Because Windows sends a predictable sequence of pings, we can send the reply before we get the message. By default, ping sends a message per second, so if we want to shave 10ms from the ping time, we send the next response 990ms after the last one. This will work for everything except the first packet which we can either drop, or answer honestly.
Liarsping
I wrote a small test script in rust about 2 years ago which proved to me that this works, but didn’t have the time to polish it and publish it.
Enter Claude..
I gave claude my proof of concept and asked it to wrap it in config options and generally polish the code. The result is liarsping.
Try it out
Send ping requests to ping.pr0.uk. If you are sending from Windows, I’ve shaved off 20ms, and if you’re sending from linux, I’ve shaved off 150% of the one way trip time according to the timestamp on my server.
Written by a human
For the avoidance of doubt, this post was not written with any help from any AI, even though the code was.
Thanks for reading