The day my ping took countermeasures
4 hours ago
- #ping
- #network-debugging
- #time-synchronization
- The ping utility displays 'taking countermeasures' when the system clock is rolled backward, causing a negative RTT measurement that ping resets to zero.
- Ping uses two modes for timing: an old mode relying on wall clock (gettimeofday) and a default mode using network timestamps from SO_TIMESTAMP for better accuracy.
- Investigating ping's behavior required overcoming challenges like vDSO optimizations and suid/capabilities, using LD_PRELOAD and strace fault injection to simulate clock changes.
- Ping embeds the send timestamp in the ICMP payload, allowing RTT calculation without storing timestamps locally, but this makes it vulnerable to spoofed timestamps from malicious actors.
- Clock adjustments, such as leap seconds or NTP corrections, can cause ping to produce warnings or incorrect RTT values, though using monotonic clocks could mitigate some issues.