Disable TCP 1323 Timestamp response through Palo Alto Firewall?

Reply
Highlighted
L0 Member

Disable TCP 1323 Timestamp response through Palo Alto Firewall?

Hi,

I'm wondering whether is there a way to set the PAN Firewall to detect and drop TCP 1323 Timestamp queries to servers?

According to some web vulnerabilities scanning reports, it is reccomended to disable the TCP Timestamp as it discloses server uptime information, allowing attackers to guess the OS patch status.

In the recent Windows server OS (2008 and R2), disabling the TCP1323opts in registry doesn't seem to disable to the Timestamp responses as nmap scan test will still be able to get the uptime information.

In some web scanner reports, there are reccomendations to set in cisco firewalls to disable tcp timestamp eg, (no ip tcp timestamp).

Appreciate the reponse,

Regards,

Hans

Tags (1)
Highlighted
L6 Presenter

Not that im aware of.

Disabling timestamps should be done at the endpoints if you want to block timestamp information.

Easy to do in a linuxbox:

echo "0" > /proc/sys/net/ipv4/tcp_timestamps

Did you reboot your windowsbox before you did the new nmap test?

Also verify with pcap so the uptime which nmap picks up isnt from some application running on your server.

The "no ip tcp timestamp" is usually for traffic that the cisco device itself generates (such as stuff from its mgmt-interface etc) and not for traffic that passes through.

However note that timestamps are part of "high performance tcp" if I remember it correctly so disabling timestamps could in some situations be bad (http://www.ietf.org/rfc/rfc1323.txt).

Highlighted
L6 Presenter

Also instead of altering the registry try to use this cmdline instead:

netsh int tcp set global timestamps=disabled


http://technet.microsoft.com/en-us/library/cc731258%28WS.10%29.aspx#BKMK_6

You might need a reboot afterwards aswell...

Highlighted
L1 Bithead

Interestingly, for me it is the PALO ALTO 5200 series Vers 8.1 that IS RESPONDING to timestamp requests from a desktop.

Why? I don't know.  Why offer discovery information that a hacker could use?  We have PING enabled on the interface--but I don't see any way to stop it from answering these esoteric ICMP queries.

It is also being asked for ADDRESS MASK (ICMP), but at least it doesn't respond to that.

Highlighted
L5 Sessionator

Hi All,

 

It is possible to drop packets with the timestamp option set through a Zone Protection profile.

 

Network -> Zone Protection -> Packet Based Attack Protection -> IP Drop -> Timestamp.

 

The zone protection profile would then be applied to the ingress zone, untrust.

 

Cheers,

Luke.

Highlighted
L0 Member

In my case, the Rapid7 reported this vulnerability on PA5020 and PA5220:

Vulnerability Title: TCP timestamp response

Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps.

 

The scanning was ran to the MGMT interface, that's why the Zone Protection Profile won't work in this case.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!