Disable TCP and ICMP Timestamps

From Kicksecure
Revision as of 17:46, 19 December 2021 by Nurmagoz (talk | contribs)
Jump to navigation Jump to search

Disable TCP Timestamps

Introduction

Info TCP timestampsarchive.org iconarchive.today icon provide protection against wrapped sequence numbersarchive.org iconarchive.today icon.

The downside of TCP timestamps is adversaries can remotely calculate the system uptime and boot time of the machine and the host's clock down to millisecond precision. These calculated uptimes and boot times can also help to detect hidden network-enabled operating systems, as well as link spoofed IP and MAC addresses together and more. [1] [2]

To prevent this information leaking to an adversary, it is recommended to disable TCP timestamps on any operating systems in use. The less information available to attackers, the better the security.

Kicksecure

Disabled in Kicksecure by default. If using Kicksecure as a host operating system, there is nothing to do. Otherwise, see rest of this page.

Linux

To temporarily disable TCP timestamps for testing purposes (rather than permanently), see the footnote. [3]

1. Open a terminal (Konsole).

Become root.

Click = Copy Copied to clipboard! sudo su

2. Add the following line to /etc/sysctl.d/tcp_timestamps.conf

Click = Copy Copied to clipboard! net.ipv4.tcp_timestamps = 0

To do that, use the following command.

Click = Copy Copied to clipboard! echo "net.ipv4.tcp_timestamps = 0" > /etc/sysctl.d/tcp_timestamps.conf

3. To apply the sysctl settings without a reboot, run the following command.

Click = Copy Copied to clipboard! sysctl -p /etc/sysctl.d/tcp_timestamps.conf

4. Check if the changes have been properly set.

Click = Copy Copied to clipboard! sysctl -a | grep net.ipv4.tcp_timestamps

If it worked correctly, the system should provide the following output. 

net.ipv4.tcp_timestamps = 0

Qubes

TCP timestamps are disabled by default in Qubes R3.1 and above. [4]

Disable ICMP Timestamps

Introduction

The Internet Control Message Protocol (ICMP) is used by network devices, including routers, to send operational information and error messages such as whether a service is available or if a host/router cannot be reached. Unlike TCP and UDP, it is a network level, not transport layer protocol. Commonly network utilities are based on ICMP messages, such as traceroute and ping. [5]

The ICMP protocol includes timestamps for time synchronization, with the originating timestamp being set to the time (in milliseconds since midnight) since the sender last touched the packet. A timestamp reply is also generated, consisting of the originating timestamp (sent by the sender) as well as a "receive timestamp", which captures when the timestamp was received and a reply sent. [6]

Kicksecure

Disabled in Kicksecure by default. If using Kicksecure as a host operating system, there is nothing to do. Otherwise, see rest of this chapter.

Linux

ICMP timestamps need to be blocked with the firewall. [7] This is distribution dependent and varies widely as does having a firewall enabled on your specific OS. Be aware that some distributions do not turn on the firewall by default.

There are various ways to block ICMP timestamps on the command line, therefore it is recommended to consult your specific distribution's documentation. [8] The easiest method is to download a GUI front-end (like gufwarchive.org iconarchive.today icon), then configure the firewall to silently drop all incoming connections by default, and only allow outgoing traffic from the machine.

OpenBSD

Info This is untested.

The easiest solution is to configure the firewall to block incoming and outgoing ICMP packets with ICMP types 13 (timestamp request) and 14 (timestamp response). [9]

Alternatively, set net.inet.icmp.tstamprepl to 0 (it is enabled by default). In a terminal, run.

Click = Copy Copied to clipboard! sysctl -w net.inet.icmp.tstamprepl=0

Qubes

ICMP timestamps are disabled by default in Qubes R3.1 and above. [10]

From the Menu

The status of ICMP timestamps can be manually checked and changed on Windows systems via the Firewall settings. [11]

Right-click on Start buttonSelect Control PanelSelect Windows FirewallSelect Advanced Settings tab

The ICMP Settings dialog box should show the ICMP timestamp is disabled: Allow incoming timestamp request is unchecked. [12]

From the Command Line

ICMP timestamp responses can be disabled via the netsh command line utility. This is necessary for Vista and earlier Windows versions. [13]

Open a terminal and run this command as root (administrator).

Click = Copy Copied to clipboard! netsh firewall set icmpsetting 13 disable

Outgoing ICMP timestamp responses are now blocked.

References

  1. https://forensicswiki.org/wiki/TCP_timestampsarchive.org iconarchive.today icon
  2. Quote https://factorable.net/weakkeys12.extended.pdfarchive.org iconarchive.today icon

    It may also be predictable based on system uptime, which is visible to remote attackers via TCP timestamps.
  3. Note: If a permanent solution is desired, skip this temporary option and apply the chapter's main instructions instead. To dynamically disable TCP timestamping on Linux (Qubes: in the NetVM). Become root. Click = Copy Copied to clipboard! sudo su Disable TCP timestamps. Click = Copy Copied to clipboard! echo 0 > /proc/sys/net/ipv4/tcp_timestamps
  4. https://github.com/QubesOS/qubes-issues/issues/1344archive.org iconarchive.today icon
  5. https://en.wikipedia.org/wiki/ICMP_Timestamparchive.org iconarchive.today icon
  6. https://en.wikipedia.org/wiki/ICMP_Timestamp#Timestamparchive.org iconarchive.today icon
  7. Advanced users can of course use IP tables. For example in Debianarchive.org iconarchive.today icon: ipchains -p icmp -s $INTIP/0 13 -i $INTIF -j DENY and ipchains -p icmp -s 0.0.0.0/0 14 -i $EXTIF -j DENY
  8. For instance, Debian usersarchive.org iconarchive.today icon can edit the /etc/systcl.conf file manually and add net.ipv4.icmp_echo_ignore_all = 1.
  9. https://beyondsecurity.zendesk.com/hc/en-us/articles/203609549--How-can-I-mitigate-ICMP-Timestamp-archive.org iconarchive.today icon
  10. https://github.com/QubesOS/qubes-issues/issues/1346archive.org iconarchive.today icon
  11. https://answers.microsoft.com/en-us/windows/forum/windows_7-security/check-icmp-timestamp-response/062ffa99-ffae-4ab0-a328-84371ed46ed8?tab=question&status=AllReplies#tabsarchive.org iconarchive.today icon
  12. https://msdn.microsoft.com/en-us/library/ms912869%28v=winembedded.5%29.aspxarchive.org iconarchive.today icon
  13. https://social.technet.microsoft.com/Forums/windows/en-US/219f3dcc-3e5b-4d9b-88ae-137215575c7f/icmp-timestamp-response?forum=w7itprosecurityarchive.org iconarchive.today icon
Notification image
Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Disable_TCP_and_ICMP_Timestamps&oldid=53828"