Web Server File Timing Attacks: Prevention

TL;DR

Timing attacks can reveal information about files on your web server even if you don’t directly show them to users. This guide explains how these work and gives practical steps to protect against them, focusing on consistent response times regardless of file existence or content.

What are Web Server File Timing Attacks?

Imagine a thief trying to guess the PIN for your bank card. They might try lots of numbers and listen carefully – if one number takes longer than others, it suggests they’re getting closer! Timing attacks on web servers work similarly.

A hacker sends requests to your server asking for files that may or may not exist. By measuring the time it takes the server to respond, they can infer whether a file exists. If a file exists, the server has to do more work (read the file, check permissions) which takes slightly longer than simply saying ‘file not found’. Even small differences in response time can be enough for an attacker.

How to Protect Your Web Server

1. Consistent Response Times: The core principle is to make the server take roughly the same amount of time whether a file exists or doesn’t.
2. Disable Directory Listing: This prevents attackers from easily discovering files and directories. Most web servers have this disabled by default, but double-check.
   • Apache: In your virtual host configuration (e.g., /etc/apache2/sites-available/your_site.conf), ensure you have Options -Indexes.
   • Nginx: In your server block configuration (e.g., /etc/nginx/sites-available/your_site), use autoindex off;
3. Error Handling: Configure your web server to return consistent error responses for missing files.
   • Apache: Use a custom 404 page. This ensures the same code and processing time is used regardless of the requested file.
   • Nginx: Create a custom error page (e.g., /usr/share/nginx/html/404.html) and configure Nginx to use it.

     error_page 404 /404.html;
     location = /404.html {
         root /usr/share/nginx/html;
         internal;
     }

4. File Existence Checks: Avoid directly checking if a file exists in your application code before attempting to serve it.
   • Instead of:

     if (file_exists('/path/to/file.txt')) {
         // Serve the file
     } else {
         // Return 404
     }

   • Try to serve the file directly and handle any exceptions that occur if it doesn’t exist.

     try {
         // Serve the file
     } catch (FileNotFoundException e) {
         // Return 404
     }

5. Caching: Implement caching for frequently accessed files. This reduces the load on the server and can help mask timing differences.
   • Use a reverse proxy like Varnish or Nginx’s built-in caching features.
6. Regular Security Scans: Use vulnerability scanners to identify potential weaknesses in your web server configuration, including those related to timing attacks.

Important Considerations

• Programming Language: Some programming languages and frameworks are more susceptible to timing attacks than others. Be aware of the specific risks associated with your technology stack.
• Server Load: High server load can introduce unpredictable response times, making it harder for attackers to accurately measure differences. However, don’t rely on this as a primary defense.
• Network Latency: Network conditions can also affect response times. Consider the impact of network latency when analyzing timing data.