20 days ago
Hi,
As part of our compliance we have carried out a penetration test including a service deployed on railway (love railway btw!).
The scan found the following low-risk items relating to TCP Timestamp info disclosure, is it possible to configure railway to mitigate this?
EXTERNAL IP VULNERABILITY ANALYSIS LOW
Attackers continuously scan the internet for exposed services and known vulnerabilities. An
unauthenticated scan of the IP addresses associated with xxx Ltd returned the findings below.
Our team did not attempt exploitation to confirm the attack chain, but each result should be reviewed
and remediated based on its severity and exposure.
Recommendation
Apply TCP timestamp disabling at the OS level for the origin server (XXXX). Block ICMP
timestamp messages at the perimeter firewall. For Cloudflare-fronted IPs, these findings may be at the
CDN edge layer and can be reviewed with Cloudflare support.
IP ADDRESS FINDING SEVERITY CVSS
XXX TCP Timestamps Information Disclosure Low 2.6
XXX TCP Timestamps Information Disclosure Low 2.6
XXX TCP Timestamps Information Disclosure Low 2.6
XXX ICMP Timestamp Reply Information Disclosure Low 2.1
TCP Timestamps Information Disclosure [Low] CVSS: 2.6
INSIGHT
The remote hosts implement TCP timestamps as defined by RFC 1323/RFC 7323. A side effect of this feature is
that the system uptime can sometimes be calculated from the monotonically increasing timestamp values
returned in TCP responses.
IMPACT
Uptime information provides an attacker with intelligence on patching cadence and server availability. This is a
low-severity information disclosure finding with no direct exploitability.
DISCOVERY PROCESS
Specially crafted IP packets were sent with controlled delays between them. Responses were inspected for TCP
timestamp option values. Uptime was computed from the gradient of timestamp values over time.
4 Replies
SOLUTION
• Linux: Add 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf, then run 'sysctl -p'
• Windows: Run 'netsh int tcp set global timestamps=disabled' (note: Windows Server 2008+ cannot fully
disable this when a TCP peer initiates with timestamps)
AFFECTED HOSTS (3)
XXXXX
ICMP Timestamp Reply Information Disclosure [Low] CVSS: 2.1
INSIGHT
The remote host responded to an ICMP Timestamp (Type 13) request with a Timestamp Reply (Type 14). The
reply includes originating, receive, and transmit timestamps.
IMPACT
EXTERNAL IP VULNERABILITY ANALYSISCREATED FOR: xxx Ltd | DATE: Jun 15,
2026
The timestamp information could theoretically be used to exploit weak time-based random number generators in
other services on the same host.
SOLUTION
• Disable ICMP timestamp support on the host OS
• Block ICMP type 13/14 at the perimeter firewall in both directions for untrusted networks
20 days ago
The benefits of TCP timestamps likely outweigh any perceived risks, especially in Railway's case, so I don't think I would expect this to be changed.
Your application itself is much more likely to be compromised/exploited than the hosts that actually run your containers.
20 days ago
I say perceived, because they're not real risks IMO. If a system is vulnerable, it is vulnerable. Obscuring that at the expense of reliability still leaves you vulnerable, you're just worse off for it.
20 days ago
Well said
Status changed to Solved brody • 20 days ago