Solved

Disable Tcp_timestamp : applicable to Web servers only or App & DB as well?

Posted on 2014-11-13
3
581 Views
Last Modified: 2014-12-12
When VA scanner scan & recommend to disable TCP_timestamp,
is this something we disable at Web only or needs to be done at
App & DB too?    We can't do it at LB level due to an impact.

Refer to :
http://www.tmltechnologies.com/html-2012/index.php/linux-rescue-kits/82-secret/91-disable-tcp-timestamps-on-linux
   Issue using root:
    # echo 0 > /proc/sys/net/ipv4/tcp_timestamps
          & to make it stay across reboots,
    add the following line to /etc/sysctl.conf:
        net.ipv4.tcp_timestamps = 0
 
Create Solaris iptables firewall rules as additional enhancement:
   iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
   iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
 
 
 
 
For Windows 2008 R2:
https://social.technet.microsoft.com/Forums/en-US/d4015aa9-0613-473e-8950-a3b3d3e72b04/i-have-security-vulnerability-tcp-timestamp-response-on-w2k3-w2k8-servers-how-to-fix-it?forum=winserversecurity     :
    Add & set Tcp1323Opts value to 0 in registry HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Also add the equivalent firewall rules in Windows & reboot Windows server
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 

Author Comment

by:sunhux
ID: 40442998
From googling around, I noticed Tcp_timestamp disabling
are done on web servers only, is this correct or it ought to
be done on app & DB servers as well?
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 300 total points
ID: 40460143
Most admins consider that the Risk/Benefit of Tcp_timestamp disabling is just not worth it.  The "RISK" is very light, it does not provide an exploit in its own right, as I am sure you have read already.

It is ANY server that communicates with TCP that is "affected" not just web servers.

There can be unintended consequences that lead to a dramatic loss in performance and as the "RISK" is that somebody will know how long your server has been on or them knowing the OS you use, I would put a red line through it.

Risk assessment is not just about following all recommendations. It is about acknowledging that you have understood a "RISK" and made a business decision on the potential for loss verses the potential for loss in performance.  
As I said, Most consider the Risk and mark it as "Noted".
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 40460388
Best tuning advice would be to leave everything at defaults and dont fix what is not broken.

Some points:
1) Are timestamps derived from system time or random? In second case there is no security advantage in disabling them
2) Either way - is reading timer or generating few pseudo-random bits expensive on your system? Not on Linux on good hardware, but there are some bad seeds around e.g virtualisation.
3) Do you have more than two million of inflight packets to make use of sequence number roll-over protection that timestamps offers? (Like terabyte of tcp buffer)? - OK - it might be useful then, but then again - which operating systems implement this feature?
4) When you flip just 10 sysctl switches how do you identify source of problem? By repeating test 1024 times with all possible flip switch positions?
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
This article was originally published on Monitis Blog, you can check it  here . If you have responsibility for software in production, I bet you’d like to know more about it. I don’t mean that you’d like an extra peek into the bowels of the sour…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question