Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Alternative to disabling timestamp

Posted on 2014-10-30
3
Medium Priority
?
1,491 Views
Last Modified: 2014-11-10
In a CageScan test, the report advised to disabling "TCP timestamp response" on the F5 LTM but F5 has advised
us against it as given below.  

Q1:
What other alternative we can adopt to mitigate this ?   We can't remain status quo as it was not
acceptable to audit.
In particular, can we do anything on Internet facing servers (web servers?), eg, deploy a host/endpoint
based IPS to drop certain pattern or Windows firewall to block certain timestamp traffic or any patch
we can get from MS & Redhat ?

Q2:
Is this risk considered a DoS vulnerability or ACK storm vulnerability or ?

Q3:
If we have many servers, is there a quick way to check if "TCP timestamp received"
from ntp server (or is it ntp client?) and the servers' system uptime match?
Can't afford to login individually to each server to check as too many of it & the
uptime data is changing very fast.


F5's response :
"A number of publicly-available networking and security utilities (for example, nmap, hping, and some commercial tools) can perform network scans using a TCP timestamp option, which can be used to calculate the uptime (time since boot) of a system.

Timestamps are a TCP option used by a TCP/IP networking stack to implement two algorithms: the Round-Trip Time Measurement (RTTM) algorithm and the Protection Against Wrapped Sequence Numbers (PAWS) algorithm. Both algorithms are defined in RFC 1323, and are widely implemented by most modern operating systems' TCP/IP stacks, including F5 products.

Because the values in the timestamp are tied to the passage of time as tracked by the system clock, capturing two or more TCP packets allows interpolation back to the time at which the system started.

Uptime information, when combined with other system fingerprinting techniques, may sufficiently identify a system to an attacker as a potentially worthwhile target for an attack.

Note: The issue of using uptime information to select a subsequent attack should not to be confused with any attack against the timestamp mechanism directly.


Eliminating the use of TCP timestamps is not desirable because a performance penalty would occur without RTTM. More importantly, PAWS can protect against both the loss of data when TCP sequence numbers wrap, but also against denial-of-service attacks, which attempt to shut down an existing TCP connection. Without PAWS, the attacker needs only the IP addresses and port numbers of the connection endpoints to reset the connection.

F5 believes that the probability of system uptime information being used as the basis of a subsequent, successful attack is low. Additionally, denying an attacker access to uptime information would be a significant deterrent only if other operating system information could be hidden from fingerprinting techniques, which is not possible.  "
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Author Comment

by:sunhux
ID: 40412769
I can try the suggestion below but it's been reported to be not
working & rescan still report the vulnerability :

http://stackoverflow.com/questions/24067609/how-to-disable-windows-server-2008-timestamp-response
0
 

Author Comment

by:sunhux
ID: 40412799
Perhaps these ones:

https://social.technet.microsoft.com/Forums/en-US/d4015aa9-0613-473e-8950-a3b3d3e72b04/i-have-security-vulnerability-tcp-timestamp-response-on-w2k3-w2k8-servers-how-to-fix-it?forum=winserversecurity     :
    Add & set Tcp1323Opts value to 0 in registry HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters


http://www.tmltechnologies.com/html-2012/index.php/linux-rescue-kits/82-secret/91-disable-tcp-timestamps-on-linux
    echo 0 > /proc/sys/net/ipv4/tcp_timestamps
        &
    add the following line to /etc/sysctl.conf:
        net.ipv4.tcp_timestamps = 0


2nd url above also suggests using iptables to block, so what's the
equivalent Windows firewall, can give an exact syntax rule:
IPTables


To be on the safe side, add the following 2 lines to your firewall script:
iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
0
 
LVL 83

Accepted Solution

by:
David Johnson, CD, MVP earned 2000 total points
ID: 40415165
netsh firewall set icmpsetting 13 disable
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question