Actions

Disable TCP and ICMP Timestamps


Disable TCP Timestamps[edit]


The downside of TCP timestamps is adversaries can remotely calculate the system uptime and boot time of the machine and the host's clock down to millisecond precision. These calculated uptimes and boot times can also help to detect hidden network-enabled operating systems, as well as link spoofed IP and MAC addresses together and more. [1]

To prevent this information leaking to an adversary, it is recommended to disable TCP timestamps on any operating systems being used. The less information available to attackers, the better the security.

Linux[edit]

To temporarily disable TCP timestamps for testing purposes (rather than permanently), see the footnote. [2]

Open a terminal (Konsole).

Become root.

sudo su

Add the following line to /etc/sysctl.d/tcp_timestamps.conf.

net.ipv4.tcp_timestamps = 0

To do that, use the following command.

echo "net.ipv4.tcp_timestamps = 0" > /etc/sysctl.d/tcp_timestamps.conf

To apply the sysctl settings without a reboot, run the following command.

sysctl -p

Check if the changes have been properly set.

sysctl -a

If it worked correctly, the system should provide the following output.

net.ipv4.tcp_timestamps = 0

macOS[edit]


Users must disable rfc1323 which handles TCP timestamps. To check system-set TCP values, run. [3]

sysctl net.inet.tcp

A value of 1 against net.inet.tcp.rfc1323 indicates it is enabled, while 0 indicates it is disabled.

To permanently disable TCP timestamps, run. [4] [5]

sudo su

echo net.inet.tcp.rfc1323=0 > /etc/sysctl.conf

To temporarily disable TCP timestamps (until reboot) for testing purposes, run.

sudo sysctl -w net.inet.tcp.rfc1323=0

Qubes[edit]

TCP timestamps are disabled by default in Qubes R3.1 and above. [6]

Windows[edit]


To disable TCP timestamps on Windows, run the following root command.

netsh int tcp set global timestamps=disabled

Disable ICMP Timestamps[edit]

The Internet Control Message Protocol (ICMP) is used by network devices, including routers, to send operational information and error messages such as whether a service is available or if a host/router cannot be reached. Unlike TCP and UDP, it is a network level, not transport layer protocol. Commonly network utilities are based on ICMP messages, such as traceroute and ping. [7]

The ICMP protocol includes timestamps for time synchronization, with the originating timestamp being set to the time (in milliseconds since midnight) since the sender last touched the packet. A timestamp reply is also generated, consisting of the originating timestamp (sent by the sender) as well as a "receive timestamp", which captures when the timestamp was received and a reply sent. [8]

Linux[edit]

ICMP timestamps need to be blocked with the firewall. [9] This is distribution dependent and varies widely as does having a firewall enabled on your specific OS. Be aware that some distributions do not turn on the firewall by default.

There are many differing ways to accomplish blocking ICMP timestamps via the command line, therefore users are recommended to consult the specific distribution's documentation. [10] The most straightforward way is to download a GUI front-end (like gufw) to configure the firewall and have it set to silently drop all incoming connections by default, and allow only outgoing traffic from the machine.

macOS[edit]


MacOS systems should have ICMP timestamps disabled by default. Therefore, if the firewall is enabled and "Stealth Mode" is set, the system should not respond to any ICMP requests. This is how to check the system is properly secured: [11]

Menu -> System Preferences -> Security & Privacy -> Select the Firewall tab -> Check Firewall is On -> Click Firewall Options -> Enable Stealth Mode -> Click OK

The "Block all incoming connections" checkbox should also be enabled for greater security.

The user can also manually change or check the timestamp status of ICMP, since the system variable is net.inet.icmp.timestamp in the /etc/sysctl.conf file. [12]

To permanently disable ICMP timestamps. [13]

sudo sh -c "echo net.inet.icmp.timestamp=0 >> /etc/sysctl.conf"

OpenBSD[edit]


The easiest solution is to configure the firewall to block incoming and outgoing ICMP packets with ICMP types 13 (timestamp request) and 14 (timestamp response). [14]

Alternatively, set net.inet.icmp.tstamprepl to 0 (it is enabled by default). In a terminal, run.

sysctl -w net.inet.icmp.tstamprepl=0

Qubes[edit]

ICMP timestamps are disabled by default in Qubes R3.1 and above. [15]

Windows[edit]


The firewall in recent Windows operating systems (Win 10, Win 8/8.1, Win 7) should have disabled ICMP settings by default. [16]

From the Menu[edit]

The status of ICMP timestamps can be manually checked and changed on Windows systems via the Firewall settings. [17]

Right-click on Start button -> Select Control Panel -> Select Windows Firewall -> Select Advanced Settings tab

The ICMP Settings dialog box should show the ICMP timestamp is disabled: Allow incoming timestamp request is unchecked. [18]

From the Command Line[edit]

ICMP timestamp responses can be disabled via the netsh command line utility. This is necessary for Vista and earlier Windows versions. [19]

Open a terminal.

Run as an administrator.

netsh firewall set icmpsetting 13 disable

Outgoing ICMP timestamp responses are now blocked.

References[edit]

  1. http://forensicswiki.org/wiki/TCP_timestamps
  2. Note: Users can skip this temporary option and instead apply the chapter's main instructions if a permanent solution is desired. To dynamically disable TCP timestamping on Linux (when using Qubes: in the NetVM). Become root.
    sudo su
    Disable TCP timestamps.
    echo 0 > /proc/sys/net/ipv4/tcp_timestamps
  3. https://serverfault.com/questions/216956/how-to-check-tcp-timeout-in-linux-macos
  4. https://macosx.com/threads/slow-tcp-ip-smc-router.9132/
  5. https://seconfig.sytes.net/blog/p/9201755583327191420/office-where-mac-computers-couldn-t-browse-https-sites
  6. https://github.com/QubesOS/qubes-issues/issues/1344
  7. https://en.wikipedia.org/wiki/ICMP_Timestamp
  8. https://en.wikipedia.org/wiki/ICMP_Timestamp#Timestamp
  9. Advanced users can of course use IP tables. For example in Debian: ipchains -p icmp -s $INTIP/0 13 -i $INTIF -j DENY and ipchains -p icmp -s 0.0.0.0/0 14 -i $EXTIF -j DENY
  10. For instance, Debian users could edit the /etc/systcl.conf file manually and add net.ipv4.icmp_echo_ignore_all = 1
  11. http://osxdaily.com/2015/11/18/enable-stealth-mode-mac-os-x-firewall/
  12. https://security.stackexchange.com/questions/46090/why-is-icmp-timestamping-disabled-on-os-x
  13. https://superuser.com/questions/680200/os-x-how-to-make-it-reply-to-icmp-time-stamp-query
  14. https://beyondsecurity.zendesk.com/hc/en-us/articles/203609549--How-can-I-mitigate-ICMP-Timestamp-
  15. https://github.com/QubesOS/qubes-issues/issues/1346
  16. http://www.sysprobs.com/enable-ping-reply-and-ftp-traffic-in-windows-10-and-server
  17. https://answers.microsoft.com/en-us/windows/forum/windows_7-security/check-icmp-timestamp-response/062ffa99-ffae-4ab0-a328-84371ed46ed8?tab=question&status=AllReplies#tabs
  18. https://msdn.microsoft.com/en-us/library/ms912869%28v=winembedded.5%29.aspx
  19. https://social.technet.microsoft.com/Forums/windows/en-US/219f3dcc-3e5b-4d9b-88ae-137215575c7f/icmp-timestamp-response?forum=w7itprosecurity

License[edit]

Whonix Disable TCP and ICMP Timestamps wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Disable TCP and ICMP Timestamps wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.


Random News:

Want to get involved with Whonix? Check out our Contribute page.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)