Technical Tip: Mitigating TCP timestamp attacks with FortiSandbox

MFARRAG · ‎08-28-2024

Description

This article describes how to configure FortiSandbox to prevent it from responding with TCP timestamps. It covers best practices for securing FortiSandbox against TCP timestamp-based attacks, along with troubleshooting tips to ensure proper configuration and functionality.

Scope

FortiSandbox.

Solution

To verify the TCP time status on FortiSandbox, run the following command from the CLI:

set-tcp-timestamp-response -L

Note:

TCP timestamp is enabled by default on FortiSandbox.

Test using the hping3 tool from the penetration system and check packet capture output at the same time: the TCP option time stamp will be shown with the TSval and TSecr values.

To test denial-of-service attacks for ethical testing, simulating traffic patterns, and crafting custom TCP/IP packets for protocol analysis, a tool such as hping3 can be used to generate traffic:
https://linux.die.net/man/8/hping3

To disable it, run the following CLI command:

set-tcp-timestamp-response -D

To verify, send a test using the hping3 tool from the penetration system again after disabling the command, and check the packet capture output from Wireshark. The Timestamp option will not be shown anymore after disabling it, as shown below:

Note:

The same process is supported on v5.0.x.

Technical Tip: Mitigating TCP timestamp attacks with FortiSandbox

You are leaving our website