Should I Disable TCP Timestamp for Kubernetes?

According to RFC 1323 (TCP Extensions for High Performance) TCP Timestamp is used for two main mechanisms:

• PAWS (Protect Against Wrapped Sequence)
• RTT (Round Trip Time)

PAWS - defense mechanism for identification and rejection of packets that arrived in other wrapping sequence (data integrity).

Round Trip Time - time for packet to get to the destination and sent acknowledgment back to the device it originated.

What can happen when you disable TCP Timestamps:

• Turning off TCP Timestamp can result with performance issues because the RTT would stop working.
• It will disable PAWS.
• As McAfee site says disabling timestamps can allow denial attacks.

As previously mentioned McAfee's site:

For these reasons, McAfee strongly recommends keeping this feature enabled and considers the vulnerability as low..

-- McAfee

Citation from another site:

Vulnerabilities in TCP Timestamps Retrieval is a Low risk vulnerability that is one of the most frequently found on networks around the world. This issue has been around since at least 1990 but has proven either difficult to detect, difficult to resolve or prone to being overlooked entirely.

-- Beyond Security

I would encourage you to look on this video: HIP15-TALK:Exploiting TCP Timestamps.

What about GKE

Getting the information about boot time (uptime in this case) can lead to knowledge about what security patches are not applied to the cluster. It can lead to exploitation of those unpatched vulnerabilities.

The best way to approach that would be regularly update existing cluster. GKE implements 2 ways of doing that:

• Manual way
• Automatic way

Even if attacker knows the boot time of your machine it will be useless because system is up to date and all the security patches are applied. There is dedicated site for Kubernetes engine security bulletins: Security bulletins