2015年9月16日 星期三

Linux - Disable TCP timestamps

Sysctl

To dynamically disable TCPtime stamping,run the following command:
root@aaa:~# echo 0 > /proc/sys/net/ipv4/tcp_timestamps


To make that change permenant though, you need to add the following line to /etc/sysctl.conf:
net.ipv4.tcp_timestamps = 0






IPTables

To be on the safe side, add the following 2 lines to your firewall script:
iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
NOTE: Disabling timestamps will negatively impact performance of TCP transfers over high BDP 
links if the underlying system uses that information to adjust the receive window or transmit buffer. 
For typical LAN applications, timestamp removal should have no impact. For WAN data transfer speeds 
using network infrastructure where packet reordering or loss is possible (load balanced lines, wireless, 
routing hardware with multiple concurrent transaction paths, etc), TCP timestamps, along with the other 
RFC 1323 options and a current congestion control algorhythm, should be used or performance will suffer. 
TCP PAWS is also disabled if timestamps is disabled, which will negatively impact performance.Additionally,
the underlying OS should randomize the source timer at the beginning of the TCP session, rendering 
the security concern moot. You will need to check your specific OS and patch level to verify that this is 
functioning properly.Don'tdisable timestamps unless you understand the performance impact to the 
applications involved.
 orig. post by: Rob Luce
Comment: Please make sure you check with you software vendor. 
I had some very negativ results as well.

沒有留言:

張貼留言