By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

TCP Timestamps Information Disclosure on EKS Nodes

0

One of our compliance we found the recommendation To disable TCP timestamps on linux add the line using 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime this is inlined with -

  • The remote host implements TCP timestamps, as defined by RFC1323/RFC7323.

Please guide how to achieve this ?

Topics
ContainersMicroservicesAWS Well-Architected FrameworkCompute
Tags
Amazon Elastic Kubernetes ServiceMicroservicesSecurityLinux
Language
English
Ganesh
asked 5 months ago725 views
1 Answer
0

Hi,

It depends on how you configure your EKS Nodes. It could be managed node groups, self-managed node groups or even EC2 instances added by the Karpenter to your cluster.

Anyway, you can create your own AMI images with the above changes, check if Bottlerocket has this enforcement enabled and switch to it or do the update via the UserData.

profile picture
EXPERT
Dmytro Sirant
answered 5 months ago
  • Ganesh
    5 months ago

    ok, But is there any consequences if we setup 'net.ipv4.tcp_timestamps = 0' in our EKS nodes ? any performance issue we might face ? we want to fix this, without breaking our Cluster performance
    ==> The remote host implements TCP timestamps, as defined by RFC1323/RFC7323.

  • Dmytro Sirant EXPERT
    4 months ago

    Based on the information available about this feature, it can impact network performance and stability on the high load. Only you can test how it will impact your specific workload. I would assess the risks you have when it's enabled (I guess it's fingerprinting by the timestamp) and if it impacts your security at all.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content