Disable TCP 1323 Timestamp response through Palo Alto Firewall?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Disable TCP 1323 Timestamp response through Palo Alto Firewall?

L0 Member

Hi,

I'm wondering whether is there a way to set the PAN Firewall to detect and drop TCP 1323 Timestamp queries to servers?

According to some web vulnerabilities scanning reports, it is reccomended to disable the TCP Timestamp as it discloses server uptime information, allowing attackers to guess the OS patch status.

In the recent Windows server OS (2008 and R2), disabling the TCP1323opts in registry doesn't seem to disable to the Timestamp responses as nmap scan test will still be able to get the uptime information.

In some web scanner reports, there are reccomendations to set in cisco firewalls to disable tcp timestamp eg, (no ip tcp timestamp).

Appreciate the reponse,

Regards,

Hans

7 REPLIES 7

L6 Presenter

Not that im aware of.

Disabling timestamps should be done at the endpoints if you want to block timestamp information.

Easy to do in a linuxbox:

echo "0" > /proc/sys/net/ipv4/tcp_timestamps

Did you reboot your windowsbox before you did the new nmap test?

Also verify with pcap so the uptime which nmap picks up isnt from some application running on your server.

The "no ip tcp timestamp" is usually for traffic that the cisco device itself generates (such as stuff from its mgmt-interface etc) and not for traffic that passes through.

However note that timestamps are part of "high performance tcp" if I remember it correctly so disabling timestamps could in some situations be bad (http://www.ietf.org/rfc/rfc1323.txt).

Also instead of altering the registry try to use this cmdline instead:

netsh int tcp set global timestamps=disabled


http://technet.microsoft.com/en-us/library/cc731258%28WS.10%29.aspx#BKMK_6

You might need a reboot afterwards aswell...

L2 Linker

Interestingly, for me it is the PALO ALTO 5200 series Vers 8.1 that IS RESPONDING to timestamp requests from a desktop.

Why? I don't know.  Why offer discovery information that a hacker could use?  We have PING enabled on the interface--but I don't see any way to stop it from answering these esoteric ICMP queries.

It is also being asked for ADDRESS MASK (ICMP), but at least it doesn't respond to that.

Hi All,

 

It is possible to drop packets with the timestamp option set through a Zone Protection profile.

 

Network -> Zone Protection -> Packet Based Attack Protection -> IP Drop -> Timestamp.

 

The zone protection profile would then be applied to the ingress zone, untrust.

 

Cheers,

Luke.

In my case, the Rapid7 reported this vulnerability on PA5020 and PA5220:

Vulnerability Title: TCP timestamp response

Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps.

 

The scanning was ran to the MGMT interface, that's why the Zone Protection Profile won't work in this case.

 

 

Hello,

 

Was there any solution for disabling tcp timestamp in mgmt interface.

L4 Transporter
  • 12699 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!