TCP and ICMP Timestamps discovered by Vulnerability Assessment

This Knowledge Base article explains the presence and implications of TCP and ICMP timestamps as reported in vulnerability scans. It describes what these timestamps are, why operating systems use them, and how they can unintentionally expose system information such as uptime or system time. 

TCP Timestamp values, as specified in RFC 1323, are intended to improve the performance of TCP by increasing the accuracy of RTT measurement, especially in the case of lost packets, and allow systems to determine if a wrapped sequence number is the result of an old packet or a new connection. So TCP timestamps are used to provide protection against wrapped sequence numbers.
 
But it is possible to calculate system uptime and boot time while TCP timestamps is enable. These calculated uptimes and boot times can help in detecting hidden network-enabled operating systems see TrueCrypt, linking spoofed IP and MAC addresses together, linking IP addresses with Ad-Hoc wireless APs, etc.
 

ICMP Timestamp messages, as defined in the original ICMP specification - RFC 729, were intended to assist in network diagnostics by providing a mechanism to measure round-trip delays and perform simple clock synchronization. When ICMP Timestamp Requests (Type 13) are enabled, a host responds with ICMP Timestamp Replies (Type 14) containing the originate, receive, and transmit timestamps, which reveal the host’s current system time with millisecond precision.

While this feature was historically useful for delay measurement, it can expose information that attackers may leverage. The disclosed system time can be used to determine the host’s time zone, estimate clock drift, or assist in correlating activities across networks. Attackers can also use these replies to help identify operating systems, perform reconnaissance, and support time-based attacks or replay attacks.

For example, by using tools such as hping3 or custom ICMP probes, 

E.g. By using the security scanning tools like Nmap, hping3 or custom ICMP probes a remote user can determine whether a system is actively responding with timestamp information, which can assist in mapping active hosts and linking devices across different network segments.

Resolution for ICMP

1) Create 2 Service Objects for ICMP type 13 and 14


2) Group them under a Service Group


3) Create a DISCARD rule for the service object, e.g. from WAN to WAN (if the scanning tool targets the firewall's X1 IP)


The scanning tool should no longer report the vulnerability on ICMP Timestamps.


About TCP Timestamps

There is no option to remove TCP timestamp fields for all traffic. While disabling TCP timestamps could prevent an attacker from estimating the system’s boot time (if the OS does not randomize timestamps), making this benefit very limited. In practice, attackers will attempt exploits regardless of whether the host has been recently restarted, so ensuring the system is fully patched is far more important. Moreover, removing TCP timestamps can negatively affect TCP throughput and reliability, because delayed packets could be misinterpreted, leading to suboptimal performance.