Created attachment 206377 [details]
The current implementation of ping(8) doesn't randomized ICMP timestamps. The attached patch addresses this. Due to the applied randomized offset the system time isn't guessable for an attacker and OS detection is nearly impossible.
This change was inspired by OpenBSDs ping(8) implementation.
Why not remove 'now' entirely and use purely fictitious values for tv_sec and tv_usec? The code would be more straightforward.
I would think that "now" is necessary due to the calculation of the round trip time of the ICMP request and response packets. I would leave that patch as it is, also for the reason that OpenBSD is "running" with this change for a couple of years now.
So the random data in this case is being used as a one-time pad in a message to ourself to provide privacy. The OTP is subject to forgery.
Since we're talking to ourselves, we have other options.
We could put a MAC on it to prevent forgery. Then we just have classic AEAD or EtM on the payload data ("now").
Or we could just keep a local association of random tokens to send times in the program (any map data structure), and just send the tokens and look up echo time on response.
The latter requires some modest memory use that doesn't seem to matter in typical ping use ("-i 1"). The former doesn't require the additional memory use.