Infinity

Disable TCP Timestamps on Linux

Using the sysctl facility

To dynamically disable TCP time stamping,run the following command:

root@thunderchicken:~# echo 0 > /proc/sys/net/ipv4/tcp_timestamps

To make that change permanent though, you need to add the following line to /etc/sysctl.conf:

net.ipv4.tcp_timestamps = 0

using a host-based firewall -- iptables

To be on the safe side, add the following basic IPTables configuration to your system:

Orig source: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-ip-tables-on-ubuntu-12-04

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp --dport ssh -j ACCEPT

iptables -A INPUT -p udp --dport 514 -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

iptables -A INPUT -p tcp --dport 1984 -j ACCEPT

iptables -A INPUT -p icmp –icmp-type 13 -j DROP

iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP

iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -L

apt-get install iptables-persistent

answer “yes” to used current configuration, “yes” you want to use IPv6 as well.

NOTE: You need to add all services on your system, this is just a basic template.

NOTE: Disabling timestamps will negatively impact performance of TCP transfers over high BDP links if the underlying system uses that information to adjust the receive window or transmit buffer. For typical LAN applications, timestamp removal should have no impact. For WAN data transfer speeds using network infrastructure where packet reordering or loss is possible (load balanced lines, wireless, routing hardware with multiple concurrent transaction paths, etc), TCP timestamps, along with the other RFC 1323 options and a current congestion control algorithm, should be used or performance will suffer. TCP PAWS is also disabled if timestamps is disabled, which will negatively impact performance. Additionally,the underlying OS should randomize the source timer at the beginning of the TCP session, rendering the security concern moot. You will need to check your specific OS and patch level to verify that this is functioning properly. Don't disable timestamps unless you understand the performance impact to the applications involved.

Search

Open a Support Ticket