Solved

Disable Tcp_timestamp : applicable to Web servers only or App & DB as well?

Posted on 2014-11-13
3
538 Views
Last Modified: 2014-12-12
When VA scanner scan & recommend to disable TCP_timestamp,
is this something we disable at Web only or needs to be done at
App & DB too?    We can't do it at LB level due to an impact.

Refer to :
http://www.tmltechnologies.com/html-2012/index.php/linux-rescue-kits/82-secret/91-disable-tcp-timestamps-on-linux
   Issue using root:
    # echo 0 > /proc/sys/net/ipv4/tcp_timestamps
          & to make it stay across reboots,
    add the following line to /etc/sysctl.conf:
        net.ipv4.tcp_timestamps = 0
 
Create Solaris iptables firewall rules as additional enhancement:
   iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
   iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
 
 
 
 
For Windows 2008 R2:
https://social.technet.microsoft.com/Forums/en-US/d4015aa9-0613-473e-8950-a3b3d3e72b04/i-have-security-vulnerability-tcp-timestamp-response-on-w2k3-w2k8-servers-how-to-fix-it?forum=winserversecurity     :
    Add & set Tcp1323Opts value to 0 in registry HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Also add the equivalent firewall rules in Windows & reboot Windows server
0
Comment
Question by:sunhux
3 Comments
 

Author Comment

by:sunhux
Comment Utility
From googling around, I noticed Tcp_timestamp disabling
are done on web servers only, is this correct or it ought to
be done on app & DB servers as well?
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 300 total points
Comment Utility
Most admins consider that the Risk/Benefit of Tcp_timestamp disabling is just not worth it.  The "RISK" is very light, it does not provide an exploit in its own right, as I am sure you have read already.

It is ANY server that communicates with TCP that is "affected" not just web servers.

There can be unintended consequences that lead to a dramatic loss in performance and as the "RISK" is that somebody will know how long your server has been on or them knowing the OS you use, I would put a red line through it.

Risk assessment is not just about following all recommendations. It is about acknowledging that you have understood a "RISK" and made a business decision on the potential for loss verses the potential for loss in performance.  
As I said, Most consider the Risk and mark it as "Noted".
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 200 total points
Comment Utility
Best tuning advice would be to leave everything at defaults and dont fix what is not broken.

Some points:
1) Are timestamps derived from system time or random? In second case there is no security advantage in disabling them
2) Either way - is reading timer or generating few pseudo-random bits expensive on your system? Not on Linux on good hardware, but there are some bad seeds around e.g virtualisation.
3) Do you have more than two million of inflight packets to make use of sequence number roll-over protection that timestamps offers? (Like terabyte of tcp buffer)? - OK - it might be useful then, but then again - which operating systems implement this feature?
4) When you flip just 10 sysctl switches how do you identify source of problem? By repeating test 1024 times with all possible flip switch positions?
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
This video demonstrates how to use each tool, their shortcuts, where and when to use them, and how to use the keyboard to improve workflow.
Video by: Tony
This video teaches viewers how to export a project from Adobe Premiere Pro and the various file types involved.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now