topic TCP timestamp response on MGMNT IP in Advanced Threat Prevention Discussions

TCP timestamp response on MGMNT IP

Mohammed_Yasin — Wed, 10 Feb 2021 06:38:51 GMT

In my case, the team is performing a vulnerability assessment on PA820

Vulnerability Title: TCP timestamp response.

Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps.

The scanning was running to the MGMT IP,

How to disable the timestamp response.

Re: TCP timestamp response on MGMNT IP

ydhanuka — Sat, 10 Apr 2021 03:33:48 GMT

Hi @Mohammed_Yasin

A zone protection profile should help alleviate the problem. For the mgmt IP, a change in network may be needed where it is connected to a switch and then the traffic is routed through one of the data interfaces where the zone protection profile is enabled with relevant TCP options enabled.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/best-practices-for-securing-your-network-from-layer-4-and-layer-7-evasions.html

Hope this helps

Yogesh

Re: TCP timestamp response on MGMNT IP

Jeffrey454 — Wed, 05 May 2021 08:55:44 GMT

@MyPrepaidCente wrote:
In my case, the team is performing a vulnerability assessment on PA820
Vulnerability Title: TCP timestamp response.
Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps.

The scanning was running to the MGMT IP,

How to disable the timestamp response.

According to RFC 1323 (TCP Extensions for High Performance) TCP Timestamp is used for two main mechanisms:

PAWS (Protect Against Wrapped Sequence)
RTT (Round Trip Time)
PAWS - defense mechanism for identification and rejection of packets that arrived in other wrapping sequence (data integrity).

Round Trip Time - time for packet to get to the destination and sent acknowledgment back to the device it originated.

Re: TCP timestamp response on MGMNT IP

mivaldi — Thu, 13 May 2021 16:56:27 GMT

I verified that you can estimate the uptime of the firewall by running:

nmap -d -v -O <mgmt_ipaddress>

To mitigate this, move the management-interface to a data port, and tie a Zone Protection profile with the option

Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Timestamp (check)

A fix would be to add an option in PAN-OS to enable/disable TCP Timestamps in the management interface (toggle the value of net.ipv4.tcp_timestamps). Disabling the option can be achieved by editing the firewall's /etc/sysctl.conf file, and adding value ipv4.tcp_timestamps=0 ( I am with TAC and I verified this by going into root in the firewall in our lab and then running a new scan, which now shows clean). This will require a Feature Request, please involve your Palo Alto Networks SE to 'vote up' on FR ID: 10815.