Penetration test highlighting - TCP Timestamps Information Disclosure
heylookalive
HOBBYOP

20 days ago

Hi,

As part of our compliance we have carried out a penetration test including a service deployed on railway (love railway btw!).

The scan found the following low-risk items relating to TCP Timestamp info disclosure, is it possible to configure railway to mitigate this?


EXTERNAL IP VULNERABILITY ANALYSIS LOW

Attackers continuously scan the internet for exposed services and known vulnerabilities. An

unauthenticated scan of the IP addresses associated with xxx Ltd returned the findings below.

Our team did not attempt exploitation to confirm the attack chain, but each result should be reviewed

and remediated based on its severity and exposure.

Recommendation

Apply TCP timestamp disabling at the OS level for the origin server (XXXX). Block ICMP

timestamp messages at the perimeter firewall. For Cloudflare-fronted IPs, these findings may be at the

CDN edge layer and can be reviewed with Cloudflare support.

IP ADDRESS FINDING SEVERITY CVSS

XXX TCP Timestamps Information Disclosure Low 2.6

XXX TCP Timestamps Information Disclosure Low 2.6

XXX TCP Timestamps Information Disclosure Low 2.6

XXX ICMP Timestamp Reply Information Disclosure Low 2.1

TCP Timestamps Information Disclosure [Low] CVSS: 2.6

INSIGHT

The remote hosts implement TCP timestamps as defined by RFC 1323/RFC 7323. A side effect of this feature is

that the system uptime can sometimes be calculated from the monotonically increasing timestamp values

returned in TCP responses.

IMPACT

Uptime information provides an attacker with intelligence on patching cadence and server availability. This is a

low-severity information disclosure finding with no direct exploitability.

DISCOVERY PROCESS

Specially crafted IP packets were sent with controlled delays between them. Responses were inspected for TCP

timestamp option values. Uptime was computed from the gradient of timestamp values over time.

Solved

4 Replies

heylookalive
HOBBYOP

20 days ago

SOLUTION

• Linux: Add 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf, then run 'sysctl -p'

• Windows: Run 'netsh int tcp set global timestamps=disabled' (note: Windows Server 2008+ cannot fully

disable this when a TCP peer initiates with timestamps)

AFFECTED HOSTS (3)

XXXXX

ICMP Timestamp Reply Information Disclosure [Low] CVSS: 2.1

INSIGHT

The remote host responded to an ICMP Timestamp (Type 13) request with a Timestamp Reply (Type 14). The

reply includes originating, receive, and transmit timestamps.

IMPACT

EXTERNAL IP VULNERABILITY ANALYSISCREATED FOR: xxx Ltd | DATE: Jun 15,

2026

The timestamp information could theoretically be used to exploit weak time-based random number generators in

other services on the same host.

SOLUTION

• Disable ICMP timestamp support on the host OS

• Block ICMP type 13/14 at the perimeter firewall in both directions for untrusted networks


20 days ago

The benefits of TCP timestamps likely outweigh any perceived risks, especially in Railway's case, so I don't think I would expect this to be changed.

Your application itself is much more likely to be compromised/exploited than the hosts that actually run your containers.


20 days ago

I say perceived, because they're not real risks IMO. If a system is vulnerable, it is vulnerable. Obscuring that at the expense of reliability still leaves you vulnerable, you're just worse off for it.


20 days ago

Well said


Status changed to Solved brody 20 days ago


Welcome!

Sign in to your Railway account to join the conversation.

Loading...