On 2016-03-10 17:12, Andre Keller wrote: > Dear fellow SwiNOGers, > > in the last few months we had several security audits and all of them > proposed to disable tcp timestamps.
Did they also state why? :) > (i.e. on Linux > net.ipv4.tcp_timestamps=0). AFAIK roundtrip time calculation in tcp > relies on this and there might be implications for PAWS (tcp sequence > number wrapping). You might want to read up on: http://www.silby.com/eurobsdcon05/eurobsdcon_silbersack.pdf > What do you guys think about this? It all depends on what you are "protecting" yourself from. Think about it: if it was a huge security issue, it would be disabled per default ;) It is primarily a obfuscation technique that primarily hides if you did upgrade your kernel recently... Greets, Jeroen _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog