Actions

Disable TCP and ICMP Timestamps

From Whonix


Timestamps.jpg

Disable TCP Timestamps[edit]

Introduction[edit]

The downside of TCP timestamps is adversaries can remotely calculate the system uptime and boot time of the machine and the host's clock down to millisecond precision. These calculated uptimes and boot times can also help to detect hidden network-enabled operating systems, as well as link spoofed IP and MAC addresses together and more. [1] [2]

To prevent this information leaking to an adversary, it is recommended to disable TCP timestamps on any operating systems in use. The less information available to attackers, the better the security.

Kicksecure ™[edit]

Disabled in Kicksecure ™ by default. If using Kicksecure ™ as a host operating system, there is nothing to do. Otherwise, see rest of this page.

Linux[edit]

To temporarily disable TCP timestamps for testing purposes (rather than permanently), see the footnote. [3]

1. Open a terminal (Konsole).

Become root. 

sudo su

2. Add the following line to /etc/sysctl.d/tcp_timestamps.conf 

net.ipv4.tcp_timestamps = 0

To do that, use the following command. 

echo "net.ipv4.tcp_timestamps = 0" > /etc/sysctl.d/tcp_timestamps.conf

3. To apply the sysctl settings without a reboot, run the following command. 

sysctl -p /etc/sysctl.d/tcp_timestamps.conf

4. Check if the changes have been properly set. 

sysctl -a | grep net.ipv4.tcp_timestamps

If it worked correctly, the system should provide the following output. 

net.ipv4.tcp_timestamps = 0

macOS[edit]

Info This procedure is untested. It should also work for BSD-like operating systems.

Disable the rfc1323 protocol which handles TCP timestamps.

1. To check system-set TCP values, run. [4] 

sysctl net.inet.tcp

A value of 1 against net.inet.tcp.rfc1323 indicates it is enabled, while 0 indicates it is disabled.

2. Disable TCP timestamps permanently or temporarily.

To permanently disable TCP timestamps, run. [5] [6] 

sudo su

echo net.inet.tcp.rfc1323=0 > /etc/sysctl.conf

To temporarily disable TCP timestamps (until reboot) for testing purposes, run. 

sudo sysctl -w net.inet.tcp.rfc1323=0

Qubes[edit]

TCP timestamps are disabled by default in Qubes R3.1 and above. [7]

Windows[edit]

Info Administrator privileges are required.

To disable (outgoing [8]) TCP timestamps on Windows, run the following root command. [9] 

netsh int tcp set global timestamps=disabled

Disable ICMP Timestamps[edit]

Introduction[edit]

The Internet Control Message Protocol (ICMP) is used by network devices, including routers, to send operational information and error messages such as whether a service is available or if a host/router cannot be reached. Unlike TCP and UDP, it is a network level, not transport layer protocol. Commonly network utilities are based on ICMP messages, such as traceroute and ping. [10]

The ICMP protocol includes timestamps for time synchronization, with the originating timestamp being set to the time (in milliseconds since midnight) since the sender last touched the packet. A timestamp reply is also generated, consisting of the originating timestamp (sent by the sender) as well as a "receive timestamp", which captures when the timestamp was received and a reply sent. [11]

Kicksecure ™[edit]

Disabled in Kicksecure ™ by default. If using Kicksecure ™ as a host operating system, there is nothing to do. Otherwise, see rest of this chapter.

Linux[edit]

ICMP timestamps need to be blocked with the firewall. [12] This is distribution dependent and varies widely as does having a firewall enabled on your specific OS. Be aware that some distributions do not turn on the firewall by default.

There are various ways to block ICMP timestamps on the command line, therefore it is recommended to consult your specific distribution's documentation. [13] The easiest method is to download a GUI front-end (like gufw [archive]), then configure the firewall to silently drop all incoming connections by default, and only allow outgoing traffic from the machine.

macOS[edit]

Info This is untested.

MacOS systems should have ICMP timestamps disabled by default. This means if the firewall is enabled and "Stealth Mode" is set, the system should not respond to any ICMP requests. Follow these steps to check the system is properly secured: [14]

  1. Click Menu
  2. Select System Preferences
  3. Select Security & Privacy
  4. Click the Firewall tab
  5. Check the firewall is On
  6. Click Firewall Options
  7. Enable Stealth Mode
  8. Click OK

The "Block all incoming connections" option should also be checked for greater security.

It is also possible to manually change / check the ICMP timestamp status -- refer to the system variable net.inet.icmp.timestamp in the /etc/sysctl.conf file. [15]

To permanently disable ICMP timestamps, run. [16] 

sudo sh -c "echo net.inet.icmp.timestamp=0 >> /etc/sysctl.conf"

OpenBSD[edit]

Info This is untested.

The easiest solution is to configure the firewall to block incoming and outgoing ICMP packets with ICMP types 13 (timestamp request) and 14 (timestamp response). [17]

Alternatively, set net.inet.icmp.tstamprepl to 0 (it is enabled by default). In a terminal, run. 

sysctl -w net.inet.icmp.tstamprepl=0

Qubes[edit]

ICMP timestamps are disabled by default in Qubes R3.1 and above. [18]

Windows[edit]

Info This is untested. After performing these steps, explicitly check this setting is disabled.

The firewall in recent Windows operating systems (Win 10, Win 8/8.1, Win 7) should have ICMP disabled by default. [19]

From the Menu[edit]

The status of ICMP timestamps can be manually checked and changed on Windows systems via the Firewall settings. [20]

Right-click on Start buttonSelect Control PanelSelect Windows FirewallSelect Advanced Settings tab

The ICMP Settings dialog box should show the ICMP timestamp is disabled: Allow incoming timestamp request is unchecked. [21]

From the Command Line[edit]

ICMP timestamp responses can be disabled via the netsh command line utility. This is necessary for Vista and earlier Windows versions. [22]

Open a terminal and run this command as root (administrator). 

netsh firewall set icmpsetting 13 disable

Outgoing ICMP timestamp responses are now blocked.

References[edit]

  1. https://forensicswiki.org/wiki/TCP_timestamps [archive]
  2. Quote https://factorable.net/weakkeys12.extended.pdf [archive]

    It may also be predictable based on system uptime, which is visible to remote attackers via TCP timestamps.
  3. Note: If a permanent solution is desired, skip this temporary option and apply the chapter's main instructions instead. To dynamically disable TCP timestamping on Linux (Qubes: in the NetVM). Become root. 
    sudo su

    Disable TCP timestamps. 

    echo 0 > /proc/sys/net/ipv4/tcp_timestamps
  4. https://serverfault.com/questions/216956/how-to-check-tcp-timeout-in-linux-macos [archive]
  5. https://macosx.com/threads/slow-tcp-ip-smc-router.9132/ [archive]
  6. https://seconfig.sytes.net/blog/p/9201755583327191420/office-where-mac-computers-couldn-t-browse-https-sites [archive]
  7. https://github.com/QubesOS/qubes-issues/issues/1344 [archive]
  8. https://social.technet.microsoft.com/Forums/en-US/e3867359-15d4-4b41-b453-2fe55a951bb2/how-to-disable-tcp-synack-time-stamps-on-windows-2012-r2-in-2018 [archive]
  9. https://hackertarget.com/sample-vulnerability-report/openvas-report-win7.html [archive]
  10. https://en.wikipedia.org/wiki/ICMP_Timestamp [archive]
  11. https://en.wikipedia.org/wiki/ICMP_Timestamp#Timestamp [archive]
  12. Advanced users can of course use IP tables. For example in Debian [archive]: ipchains -p icmp -s $INTIP/0 13 -i $INTIF -j DENY and ipchains -p icmp -s 0.0.0.0/0 14 -i $EXTIF -j DENY
  13. For instance, Debian users [archive] can edit the /etc/systcl.conf file manually and add net.ipv4.icmp_echo_ignore_all = 1.
  14. http://osxdaily.com/2015/11/18/enable-stealth-mode-mac-os-x-firewall/ [archive]
  15. https://security.stackexchange.com/questions/46090/why-is-icmp-timestamping-disabled-on-os-x [archive]
  16. https://superuser.com/questions/680200/os-x-how-to-make-it-reply-to-icmp-time-stamp-query [archive]
  17. https://beyondsecurity.zendesk.com/hc/en-us/articles/203609549--How-can-I-mitigate-ICMP-Timestamp- [archive]
  18. https://github.com/QubesOS/qubes-issues/issues/1346 [archive]
  19. https://www.sysprobs.com/enable-ping-reply-and-ftp-traffic-in-windows-10-and-server [archive]
  20. https://answers.microsoft.com/en-us/windows/forum/windows_7-security/check-icmp-timestamp-response/062ffa99-ffae-4ab0-a328-84371ed46ed8?tab=question&status=AllReplies#tabs [archive]
  21. https://msdn.microsoft.com/en-us/library/ms912869%28v=winembedded.5%29.aspx [archive]
  22. https://social.technet.microsoft.com/Forums/windows/en-US/219f3dcc-3e5b-4d9b-88ae-137215575c7f/icmp-timestamp-response?forum=w7itprosecurity [archive]
Fosshost is sponsors Kicksecure ™ stage server 100px
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contribute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Disable TCP and ICMP Timestamps&body=./Disable_TCP_and_ICMP_Timestamps link=https://reddit.com/submit?url=./Disable_TCP_and_ICMP_Timestamps&title=Disable TCP and ICMP Timestamps link=https://news.ycombinator.com/submitlink?u=./Disable_TCP_and_ICMP_Timestamps&t=Disable TCP and ICMP Timestamps link=https://mastodon.technology/share?message=Disable TCP and ICMP Timestamps%20./Disable_TCP_and_ICMP_Timestamps&t=Disable TCP and ICMP Timestamps

Did you know that Whonix ™ could provide protection against backdoors? See Verifiable Builds. Help is wanted and welcomed.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Retrieved from "https://www.whonix.org/w/index.php?title=Disable_TCP_and_ICMP_Timestamps&oldid=68766"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information