Time and Time Again: Leveraging TCP Timestamps to Improve Remote Timing Attacks
Vik Vanderlinden
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Network Security
Remote timing attacks are limited by network jitter, which adds noise to roundtrip time measurements and requires many observations to distinguish timing differences. This talk demonstrates that **TCP timestamps** -- an optional TCP feature enabled on **88% of internet hosts** -- can be leveraged to dramatically improve remote timing attack precision. By measuring the difference between server-side TCP timestamps on immediate acknowledgments versus responses, the attacker obtains **server-side processing time measurements** that are completely independent of network jitter.
AI review
A clean, practical improvement to remote timing attacks using TCP timestamps -- a feature enabled on 88% of internet hosts. The 5x-33x accuracy improvement is significant, the runtime multiplication via request coalescing is clever, and the first transatlantic Lucky 13 exploit is a strong demonstration. The distributable nature (circumventing rate limiting) adds a real operational advantage. This is exactly the kind of practical side-channel work that produces usable techniques.