Forum Discussion
AltostratusHow can i disable TCP_TIMESTAMP response from F5?
We have conduction a recent PCI scan which identified TCP timestamp response as a risk.
We disabled this option in our internet facing web hosts but we are still getting a risk alarm.
-
I have looked in F5 tcp option and we have TCP profile setting called " Extensions for High Performance " enabling the TCP timestap response. Is this OK to disable to manage this risk and is there a high performance sacrifice on doing that?
-
Also I looked in the BIGIP linux host and we have [User@LTM-HOST:Active:Changes Pending] ~ grep net.ipv4.tcp_timestamps /etc/sysctl.conf net.ipv4.tcp_timestamps = 1
What does this option play in the role of TCP timestamp response? Can we disable this? If you can clarify about this option it would be great :)
Thanks, - Rony
Vulnerability: TCP timestamp response
Diagnosis: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behaviour of their TCP timestamps.
3 Replies
- Moinul_RonyAlso I have found that there is a Protocol Profile called FastL4, and tcp timestamp options are more easily managed on that profile. What is the use of this FastL4 profile? What is the basic difference between a TCP and FastL4 profile? Many thanks..
- boneyard
MVP
have a look at this article about the different profiles (TCP / FastL4):
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-1-0/ltm_protocol_profiles.html
it is a shame that you can either disable or enable Extensions for High Performance (RFC 1323) as a whole and not just turn off Time Stamps there as the window scaling can be quite useful. might be related that if you implement RFC 1323 you do it all or nothing. the effect depends on what the clients and / or servers support and use, it might be they hardly use this at all currenly.
personally i would raise a ticket with F5 support and ask them to check this for you and perhaps come with a suggestion to make you PCI compliant without loosing any performance. probably not the first time they are asked this question.
btw F5 themselves don't really see this as an issue (but that probably doesn't help much against the PCI auditor :) )
http://support.f5.com/kb/en-us/solutions/public/8000/000/sol8072.html
What_Lies_Bene1Cirrostratus
Regarding 2. the Linux host (the Host Management Subsystem (HMS)) this relates only to the device's management traffic, not the application traffic handled by LTM so is probably out of scope.
