[Patch attached] Secure TCP timestamp response - Githubissues

GrapheneOS / linux-hardened

Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.freenode.net ##linux-hardened. Currently maintained at https://github.com/anthraxx/linux-hardened.

https://grapheneos.org/

Other

390 stars 102 forks source link

[Patch attached] Secure TCP timestamp response #50

Closed theLOICofFRANCE closed 6 years ago

theLOICofFRANCE commented 6 years ago

Hi,

The pentesters use the TCP timestamp response for fingerprinted based on the behavior and to find the remote host's uptime.

I suggest you change the default value (which should slightly increase the performance).

tcp_timestamps_secure.txt

This is a simple alternative to Brad's "random_timestamp.diff" patch.

Thanks.

thestinger commented 6 years ago

Modern Linux kernels use a per-connection random base for the timestamps:

https://github.com/torvalds/linux/commit/95a22caee396cef0bb2ca8fafdd82966a49367bb

The main issue (TCP timestamps) is resolved in a generic way.

theLOICofFRANCE commented 6 years ago

Great, I hadn't seen it.