Disable TCP timestamp

Vijay K R 6

Hi,

we are looking for solution to disable the TCP timestamp in Windows server 2012. Reason its vulnerability in security report.

I have run following the command

netsh int tcp set global timestamps=disabled

But still nmap I’m able to see the uptime of the servers. Please let me know is there way to remediate the findings and also whether it leads to performance degradation of the server

Regards
Vijay

Sunny Qi 10,896 Reputation points Microsoft Vendor

2020-12-21T04:00:14.137+00:00

This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
If you have any updates during this process, please feel free to let me know.
Sunny Qi 10,896 Reputation points Microsoft Vendor

2020-12-23T01:37:31.233+00:00

Hi,

Just checking in to see if the information provided was helpful.

If yes, you may accept useful reply as answer, if not, welcome to feedback.

Best Regards,
Sunny
Sunny Qi 10,896 Reputation points Microsoft Vendor

2020-12-29T07:12:53.893+00:00

Hi,

Just want to confirm the current situations.

Please feel free to let us know if you need further assistance.

Best Regards,
Sunny
HotCakeX 86 Reputation points

2022-09-21T12:50:46.69+00:00

According to This:
https://www.kicksecure.com/wiki/Disable_TCP_and_ICMP_Timestamps
https://factorable.net/weakkeys12.extended.pdf
https://web.archive.org/web/20180206125839/https://forensicswiki.org/wiki/TCP_timestamps

The downside of TCP timestamps is adversaries can remotely calculate the system uptime and boot time of the machine and the host's clock down to millisecond precision. These calculated uptimes and boot times can also help to detect hidden network-enabled operating systems, as well as link spoofed IP and MAC addresses together and more.

To prevent this information leaking to an adversary, it is recommended to disable TCP timestamps on any operating systems in use. The less information available to attackers, the better the security.

I thought the command that you mentioned would disable it, but apparently not

2 answers

Sunny Qi 10,896 Reputation points Microsoft Vendor

2020-12-21T08:02:34.5+00:00

Hi,

Thanks for posting in Q&A platform.

TCP timestamps are used to improve performance as well as protect against late packets messing up your data flow. If you disable TCP timestamps you should expect worse performance and less reliable connections. This is the case regardless of the method used to disable TCP timestamps.

Any modifications made to packets by a middlebox can cause additional problems, because TCP endpoints are not required to take such modifications into account.

TCP timestamps are required to grow monotonically over time. Thus they are necessarily predictable.

So in general, it is not recommended to disable TCP timestamp option. For more detailed information, please refer to the RFC below:

TCP Extensions for High Performance

Best Regards,
Sunny

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.

1 person found this answer helpful.
Barot, Hiren (Nokia - IN/Ahmedabad) 0 Reputation points

2023-06-01T07:24:29.9633333+00:00

Hello Sunny,

Regarding the topic (TCP timestamps), I have a query, if you can help with. I am working on E2E latency for LTE NW & collected pcaps from UE. I was trying to capture TCP traffic and had multiple tests (netflix, gdrive, youtube(youtube was on QUIC mostly though), etc.).

The observation was none of the TCP capture had Timestamps. UE requests but server omits. This happened in all test scenarios with all servers. Any idea, if this is because of the firewall at the servers or any other reason?

Thanks.
Sign in to comment
wolski88 1 Reputation point

2020-12-22T14:47:47.34+00:00

Thank you, it helped me a lot to protect my server and website from attacks
Please sign in to rate this answer.

0 comments No comments
Sign in to comment