How can i disable TCP_TIMESTAMP response from F5?

Question

We have conduction a recent PCI scan which identified TCP timestamp response as a risk.&nbsp;
We disabled this option in our internet facing web hosts but we are still getting a risk alarm. &nbsp;

I have looked in F5 tcp option and we have TCP profile setting called " Extensions for High Performance " enabling the TCP timestap response. Is this OK to disable to manage this risk and is there a high performance sacrifice on doing that?

Also I looked in the BIGIP linux host and we have 
[User@LTM-HOST:Active:Changes Pending] ~  grep net.ipv4.tcp_timestamps /etc/sysctl.conf                                                                                  net.ipv4.tcp_timestamps = 1&nbsp;

What does this option play in the role of TCP timestamp response? Can we disable this?  If you can clarify about this option it would be great :)&nbsp;
Thanks, 
- Rony&nbsp;
Vulnerability: TCP timestamp response&nbsp;
Diagnosis: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behaviour of their TCP timestamps.&nbsp;

moinul_rony · Answer

Also I have found that there is a Protocol Profile called FastL4, and tcp timestamp options are more easily managed on that profile. What is the use of this FastL4 profile? 
What is the basic difference between a TCP and FastL4 profile?

Many thanks..

boneyard · Answer

have a look at this article about the different profiles (TCP / FastL4):&nbsp;
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-1-0/ltm_protocol_profiles.html&nbsp;
it is a shame that you can either disable or enable Extensions for High Performance (RFC 1323) as a whole and not just turn off Time Stamps there as the window scaling can be quite useful. might be related that if you implement RFC 1323 you do it all or nothing. the effect depends on what the clients and / or servers support and use, it might be they hardly use this at all currenly.&nbsp;
personally i would raise a ticket with F5 support and ask them to check this for you and perhaps come with a suggestion to make you PCI compliant without loosing any performance. probably not the first time they are asked this question.&nbsp;
btw F5 themselves don't really see this as an issue (but that probably doesn't help much against the PCI auditor :) ) &nbsp;
http://support.f5.com/kb/en-us/solutions/public/8000/000/sol8072.html&nbsp;

what_lies_bene1 · Answer

Regarding 2. the Linux host (the Host Management Subsystem (HMS)) this relates only to the device's management traffic, not the application traffic handled by LTM so is probably out of scope.&nbsp;

Forum Discussion

How can i disable TCP_TIMESTAMP response from F5?

3 Replies

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

About AWAF "Redirect URLs" in "Responses and Blocks"

Related Content

Introduction of Incident Response

custom response page for api

Disabling Weak Ciphers

Disabling Specific Weak Cipher Suites

FIX Message Response