Disable TCP timestamps on Linux
Sysctl
To dynamically disable TCPtime stamping,run the following command:
root@aaa:~# echo 0 > /proc/sys/net/ipv4/tcp_timestamps
To make that change permenant though, you need to add the following line to /etc/sysctl.conf:
net.ipv4.tcp_timestamps = 0
IPTables
To be on the safe side, add the following 2 lines to your firewall script:
iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
NOTE:
Disabling timestamps will negatively impact performance of TCP transfers over high BDP links if the underlying system uses that information to adjust the receive window or transmit buffer.
For typical LAN applications, timestamp removal should have no impact. For WAN data transfer speeds
using network infrastructure where packet reordering or loss is possible (load balanced lines, wireless,
routing hardware with multiple concurrent transaction paths, etc), TCP timestamps, along with the other
RFC 1323 options and a current congestion control algorhythm, should be used or performance will suffer.
TCP PAWS is also disabled if timestamps is disabled, which will negatively impact performance.Additionally,
the underlying OS should randomize the source timer at the beginning of the TCP session, rendering
the security concern moot. You will need to check your specific OS and patch level to verify that this is
functioning properly.Don't
disable timestamps unless you understand the performance impact to the applications involved.
orig. post by:
Comment: Please make sure you check with you software vendor.
I had some very negativ results as well.
I had some very negativ results as well.
沒有留言:
張貼留言