We've hired a security consultant to perform a pentest on our Application's public IP (Kubernetes Loadbalancer) and write a report on our security flaws and the measurements required to avoid them. Their report warned us that we have TCP Timestamp enabled, and from what I've read about the issue, It would allow an attacker to predict boot time of the machine thus being able to grant control over it.
I also read that TCP Timestamp is important for TCP performance and, most importantly, for Protection Against Wrapping Sequence.
But since we use Kubernetes over GKE with Nginx Ingress Controller being in front of it, I wonder if that TCP Timestamp
thing really matters for that context. Should we even care? If so, does it really make my network vulnerable for the lack of Protection Against Wrapping sequence?
More information about TCP Timestamp on this other question: What benefit is conferred by TCP timestamp?
According to RFC 1323 (TCP Extensions for High Performance) TCP Timestamp is used for two main mechanisms:
PAWS - defense mechanism for identification and rejection of packets that arrived in other wrapping sequence (data integrity).
Round Trip Time - time for packet to get to the destination and sent acknowledgment back to the device it originated.
What can happen when you disable TCP Timestamps:
As previously mentioned McAfee's site:
For these reasons, McAfee strongly recommends keeping this feature enabled and considers the vulnerability as low..
-- McAfee
Citation from another site:
Vulnerabilities in TCP Timestamps Retrieval is a Low risk vulnerability that is one of the most frequently found on networks around the world. This issue has been around since at least 1990 but has proven either difficult to detect, difficult to resolve or prone to being overlooked entirely.
-- Beyond Security
I would encourage you to look on this video: HIP15-TALK:Exploiting TCP Timestamps.
Getting the information about boot time (uptime in this case) can lead to knowledge about what security patches are not applied to the cluster. It can lead to exploitation of those unpatched vulnerabilities.
The best way to approach that would be regularly update existing cluster. GKE implements 2 ways of doing that:
Even if attacker knows the boot time of your machine it will be useless because system is up to date and all the security patches are applied. There is dedicated site for Kubernetes engine security bulletins: Security bulletins
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With