How to configure and test "IP Timestamp Option" protection
3615
Created On 04/07/22 17:00 PM - Last Modified 10/10/24 05:17 AM
Objective
Configure and Test IP Timestamp Option drops using Zone Protection
Note: This article is not related to TCP Timestamp options.
Environment
- All PAN-OS Firewalls
Procedure
1. Set up a linux host for testing.
2. Use ping or Install the sendip command. In debian based systems, it can be installed using apt:
$ sudo apt install sendip
3. Configure a Zone Protection profile [ Network > Network Profiles > Zone Protection > (Open Profile) > Packet Based Attack Protection > IP Drop > Check "IP Option Drop: Timestamp" ]
4. Associate the Zone Protection profile to the ingress Zone facing your linux host.
5. Commit
6. Run the ping or sendip command from the linux host:
$ ping -c 1 -T tsonly DESTINATION_IP
OR
$ sudo sendip -p ipv4 -is SOURCE_IP -id DESTINATION_IP -iots 05:01:00:200 -p udp -us 53 -ud 53 -d "IP Option Timestamp test" -v DESTINATION_IP
Example:
$ ping -c 1 -T tsonly 8.8.8.8
OR
$ sudo sendip -p ipv4 -is 192.168.80.2 -id 8.8.8.8 -iots 05:01:00:200 -p udp -us 53 -ud 53 -d "IP Option Timestamp test" -v 8.8.8.8
[sudo] password for user1:
Added 26 options
Initializing module ipv4
Initializing module udp
Finalizing module udp
Finalizing module ipv4
Final packet data:
47 00 00 3C G..<
8A 2B 00 00 .+..
FF 11 C4 EA ....
C0 A8 50 02 ..P.
08 08 08 08 ....
44 08 05 10 D...
00 00 00 C8 ....
00 35 00 35 .5.5
00 20 3E 3B . >;
49 50 20 4F IP O
70 74 69 6F ptio
6E 20 54 69 n Ti
6D 65 73 74 mest
61 6D 70 20 amp
74 65 73 74 test
Sent 60 bytes to 8.8.8.8
Freeing module ipv4
Freeing module udp
7. Verify the Threat Logs using display filter ( threatid eq 8703 )
8. View of the Detailed Log View
Additional Information
Following RFC 7126, most ISP's will generally filter IP packets with IP Option Timestamp in transit.
Snippet of Best Current Practice [Page 13]
RFC 7126 Filtering of IP-Optioned Packets
February 2014
4.7. Internet Timestamp (Type = 68)
4.7.1. Uses
This option provides a means for recording the time at which each
system (or a specified set of systems) processed this datagram, and
it may optionally record the addresses of the systems providing the
timestamps.
4.7.2. Option Specification
Specified by RFC 791 [RFC0791].
4.7.3. Threats
The timestamp option has a number of security implications [RFC6274].
Among them are:
o It allows an attacker to obtain the current time of the systems
that process the packet, which the attacker may find useful in a
number of scenarios.
o It may be used to map the network topology in a similar way to the
IP Record Route option.
o It may be used to fingerprint the operating system in use by a
system processing the datagram.
o It may be used to fingerprint physical devices by analyzing the
clock skew.
[Kohno2005] describes a technique for fingerprinting devices by
measuring the clock skew. It exploits, among other things, the
timestamps that can be obtained by means of the ICMP timestamp
request messages [RFC0791]. However, the same fingerprinting method
could be implemented with the aid of the Internet Timestamp option.
4.7.4. Operational and Interoperability Impact if Blocked
Network troubleshooting techniques that may employ the Internet
Timestamp option (such as ping with the Timestamp option) would break
when using the Timestamp option. (Ping without IPv4 options is not
impacted.) Nevertheless, it should be noted that it is virtually
impossible to use such techniques due to widespread dropping of
packets that contain Internet Timestamp options.
4.7.5. Advice
Routers, security gateways, and firewalls SHOULD drop IP packets
containing an Internet Timestamp option.
Reference:
https://datatracker.ietf.org/doc/html/rfc7126#section-4.7