nfqueue-packet-delay is a libnetfilter_queue handler intended to mitigate various timing attacks. It was created in particular to mitigate a covert channel based on the observation that ping latency is dependant on CPU usage.
This handler queues up all packets across a variable-length window; each window has its length chosen randomly from an interval specified as a command-line argument, with a default interval of [0.075s, 0.2s). This should make it very difficult to observe timing differences even up the order of 100 microseconds; for larger timing differences, the default interval isn’t adequate, and should be increased in both magnitude and range.
This mechanism could certainly be improved, but what we have now seems adequate. I did consider just adding a random delay to each packet, but that would be more complex (requiring state per packet), and I don’t think it would really have any substantiative benifits.
Note that this has only been tested on Debian 8 and Ubuntu 16.04 on x64.
Use and download fron git:
git clone https://github.com/ethan2-0/nfqueue-packet-delay && cd nfqueue-packet-delay
./build_package.sh (run as root)