Should I Disable TCP Timestamp for Kubernetes?

11/22/2019

We've hired a security consultant to perform a pentest on our Application's public IP (Kubernetes Loadbalancer) and write a report on our security flaws and the measurements required to avoid them. Their report warned us that we have TCP Timestamp enabled, and from what I've read about the issue, It would allow an attacker to predict boot time of the machine thus being able to grant control over it.

I also read that TCP Timestamp is important for TCP performance and, most importantly, for Protection Against Wrapping Sequence.

But since we use Kubernetes over GKE with Nginx Ingress Controller being in front of it, I wonder if that TCP Timestamp thing really matters for that context. Should we even care? If so, does it really make my network vulnerable for the lack of Protection Against Wrapping sequence?

More information about TCP Timestamp on this other question: What benefit is conferred by TCP timestamp?

-- Mauricio
containers
kubernetes
nginx-ingress
security
tcp

1 Answer

11/27/2019

According to RFC 1323 (TCP Extensions for High Performance) TCP Timestamp is used for two main mechanisms:

  • PAWS (Protect Against Wrapped Sequence)
  • RTT (Round Trip Time)

PAWS - defense mechanism for identification and rejection of packets that arrived in other wrapping sequence (data integrity).

Round Trip Time - time for packet to get to the destination and sent acknowledgment back to the device it originated.

What can happen when you disable TCP Timestamps:

  • Turning off TCP Timestamp can result with performance issues because the RTT would stop working.
  • It will disable PAWS.
  • As McAfee site says disabling timestamps can allow denial attacks.

As previously mentioned McAfee's site:

For these reasons, McAfee strongly recommends keeping this feature enabled and considers the vulnerability as low..

-- McAfee

Citation from another site:

Vulnerabilities in TCP Timestamps Retrieval is a Low risk vulnerability that is one of the most frequently found on networks around the world. This issue has been around since at least 1990 but has proven either difficult to detect, difficult to resolve or prone to being overlooked entirely.

-- Beyond Security

I would encourage you to look on this video: HIP15-TALK:Exploiting TCP Timestamps.

What about GKE

Getting the information about boot time (uptime in this case) can lead to knowledge about what security patches are not applied to the cluster. It can lead to exploitation of those unpatched vulnerabilities.

The best way to approach that would be regularly update existing cluster. GKE implements 2 ways of doing that:

Even if attacker knows the boot time of your machine it will be useless because system is up to date and all the security patches are applied. There is dedicated site for Kubernetes engine security bulletins: Security bulletins

-- Dawid Kruk
Source: StackOverflow