Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

Disable HTTP OPTIONS method and Disable TCP Timestamp responses

Koalan
Cirrus
Cirrus

Hi,

 

So we run a penetration testing and we found 2 of our VIPs affected by these:

 

a. Disable HTTP OPTIONS method

b. Disable TCP Timestamp responses

 

Is there a way to remediate this? I tried looking in the internet but:

 

a. Disable HTTP OPTIONS method - i only see to change it globally on the F5 (probably will affect other VIP), is there another way?

b. Disable TCP Timestamp responses - I can't seem to find a proper way to address this, is there a way?

 

Hoping for help. Thanks!

4 REPLIES 4

iaine
MVP
MVP

Hi

 

You can disable HTTP OPTIONS in the HTTP profile in the known methods section. If you want to only disable it for a single VIP then create a new HTTP profile, make the required change and then associate it to your VIP

 

For TCP Timestamps. Again, if you want to disable, this is in the TCP Profile in the Congestion Control section. Create a new TCP profile, make your change and then associate it to your VIP

FF
F5 Employee
F5 Employee

a. Like what iaine mentioned, you can use the known methods setting in the HTTP profile to reject/reset the connection. Alternatively you can use an iRule to either reject or return a HTTP 501 response. For more information, refer to https://support.f5.com/csp/article/K34769490. Also if you have ASM module licensed and provisioned, the ASM security policy would block OPTIONS method by default.

 

b. There is a potential performance tradeoff when TCP Timestamp is disabled in either the TCP profile (Timestamps Extension for High Performance (RFC 1323) setting) or the FastL4 profile (TCP Timestamp Mode setting). You may want to consider randomising the TCP Timestamp instead by enabling this db key tm.tcpsendrandomtimestamp. For more details, you may want to take a look at https://support.f5.com/csp/article/K8072.

 

hello @FF,

please Could you tell me the correct choice to diable tcp timestamp in fastl4 profile because we have three choices:

Hamza_0-1674143338720.png

Thanks

Koalan
Cirrus
Cirrus

Thank you for your answers!