{{Header}}
{{#seo:
|description=Disabling TCP and ICMP Timestamps for Better Security and Privacy
|image=Timestamps.jpg
}}
[[image:Timestamps.jpg|thumb]]
{{intro|
Disabling TCP and ICMP Timestamps for Better Security and Privacy
}}
= Disable TCP Timestamps =
== Introduction ==

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = [https://tools.ietf.org/html/rfc1323 TCP timestamps] provide protection against [https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_timestamps wrapped sequence numbers].
}}

The downside of TCP timestamps is adversaries can remotely calculate the system uptime and boot time of the machine and the host's clock down to millisecond precision. These calculated uptimes and boot times can also help to detect hidden network-enabled operating systems, as well as link spoofed IP and MAC addresses together and more. <ref>
https://web.archive.org/web/20180206125839/https://forensicswiki.org/wiki/TCP_timestamps
</ref> <ref>
Quote [https://factorable.net/weakkeys12.extended.pdf factorable.net/weakkeys12.extended.pdf]
<blockquote>It may also be predictable based on system uptime, which is visible to remote attackers via TCP timestamps.</blockquote>
</ref>

To prevent this information leaking to an adversary, it is recommended to disable TCP timestamps on any operating systems in use. The less information available to attackers, the better the security.

== {{project_name_short}} ==
Disabled in {{project_name_short}} by default. If using {{project_name_short}} as a host operating system, there is nothing to do. Otherwise, see rest of this page.

{{Anchor|Linux or Qubes}}
== Qubes ==

TCP timestamps are disabled by default in Qubes R3.1 and above. <ref>https://github.com/QubesOS/qubes-issues/issues/1344</ref>

= Disable ICMP Timestamps =
== Introduction ==
The Internet Control Message Protocol (ICMP) is used by network devices, including routers, to send operational information and error messages such as whether a service is available or if a host/router cannot be reached. Unlike TCP and UDP, it is a network level, not transport layer protocol. Commonly used network utilities are based on ICMP messages, such as ''traceroute'' and ''ping''. <ref>https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Timestamp</ref>

The ICMP protocol includes timestamps for time synchronization, with the originating timestamp being set to the time (in milliseconds since midnight) since the sender last touched the packet. A timestamp reply is also generated, consisting of the originating timestamp (sent by the sender) as well as a "receive timestamp", which captures when the timestamp was received and a reply sent. ICMP sometimes used to give further info and advancing some attacks for e.g check [https://www.bleepingcomputer.com/news/security/bpfdoor-stealthy-linux-malware-bypasses-firewalls-for-remote-access/ BPFdoor].

== {{project_name_short}} ==
Disabled in {{project_name_short}} by default. If using {{project_name_short}} as a host operating system, there is nothing to do. Otherwise, see rest of this chapter.

== Qubes ==

ICMP timestamps are disabled by default in Qubes R3.1 and above. <ref>https://github.com/QubesOS/qubes-issues/issues/1346</ref>

= References =
{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]]