Disable TCP and ICMP Timestamps
Linux
To temporarily disable TCP timestamps for testing purposes (rather than permanently), see the footnote.
1. Open a terminal (Konsole).
Become root.
sudo su
2. Add the following line to /etc/sysctl.d/tcp_timestamps.conf
net.ipv4.tcp_timestamps = 0
To do that, use the following command.
echo "net.ipv4.tcp_timestamps = 0" > /etc/sysctl.d/tcp_timestamps.conf
3. To apply the sysctl settings without a reboot, run the following command.
sysctl -p /etc/sysctl.d/tcp_timestamps.conf
4. Check if the changes have been properly set.
sysctl -a
If it worked correctly, the system should provide the following output.
net.ipv4.tcp_timestamps = 0
//Disable ICMP Timestamps
The Internet Control Message Protocol (ICMP) is used by network devices, including routers, to send operational information
and error messages such as whether a service is available or if a host/router cannot be reached. Unlike TCP and UDP, it is
a network level, not transport layer protocol. Commonly network utilities are based on ICMP messages, such as traceroute and ping.
The ICMP protocol includes timestamps for time synchronization, with the originating timestamp being set to the time
(in milliseconds since midnight) since the sender last touched the packet. A timestamp reply is also generated, consisting
of the originating timestamp (sent by the sender) as well as a "receive timestamp", which captures when the timestamp was
received and a reply sent.
Linux
ICMP timestamps need to be blocked with the firewall. This is distribution dependent and varies widely as does having a firewall
enabled on your specific OS. Be aware that some distributions do not turn on the firewall by default.
There are various ways to block ICMP timestamps on the command line, therefore it is recommended to consult your specific
distribution's documentation. [12] The easiest method is to download a GUI front-end (like gufw [archive]), then configure
the firewall to silently drop all incoming connections by default, and only allow outgoing traffic from the machine.
//Block ICMP Timestamps with IPTables
Here we will block incoming ICMP timestamp requests using the INPUT chain and outgoing ICMP timestamp reply with the OUTPUT chain.
Please keep in mind that your firewall configuration is specific to your machine. Your iptables chains may have different names,
which need to be modified in the below examples. For more information on iptables read "Basics of Iptables".
Block ICMP Timestamp requests (type 13) with iptables:
iptables -I INPUT -p icmp --icmp-type timestamp-request -j DROP
Block ICMP Timestamp reply (type 14) with iptables:
iptables -I OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
Debian / Ubuntu:
iptables-save > /etc/iptables/rules.v4
Block all ICMP Traffic with IPTables
You can block all ICMP traffic with iptables by using the following command:
iptables -I INPUT -p icmp -j DROP
//Block ICMP Timestamps with Uncomplicated Firewall (UFW)
I find the uncomplicated firewall to be... umm, complicated. It seems there is no command to directly configure firewall rules to
include ICMP types. You have to edit the configuration files. Again, be careful and ensure you are matching these rules to your
systems needs. To learn more about Uncomplicated Firewall (UFW) read "Uncomplicated Firewall Basics".
Add the following two lines to /etc/ufw/before.rules
-A ufw-before-input -p icmp --icmp-type timestamp-request -j DROP
-A ufw-before-output -p icmp --icmp-type timestamp-reply -j DROP
Reload the firewall
sudo ufw reload
//Conclusion
Although the ICMP timestamp request and reply vulnerabilities are low risk, they are easily mitigated.
Whether or not this is right for your system is completely up to you.
Resources
//UBUNTU
In Debian-based Linux distributions that ship with UFW application firewall, you can block ICMP messages by adding the
following rule to /etc/ufw/before.rules file, as illustrated in the below excerpt.
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
Restart UFW firewall to apply the rule, by issuing the below commands.
# ufw disable && ufw enable