TCP_Timestamp

Hi

We have hosted a website using ReHad 5.2 and Apache Foundation. This was working fine but all of sudden the performance dropped and it takes 90secs to load the page.

We did various investigations in Network devices like Cisco CSM, Juniper Firewall, Cisco FWSM etc.. and did packet capture and found the Apache server is not responding for SYN request from client. After we did google and found an option saying disable the TCP_Timestamp.

As soon as we did the tcp_timestamp off in Apache server, the website performance returned to normal...!!!

Is anyone faced this kind of issue? Any idea why all of sudden Server created this problem? Do we need to install any patch? Is it a bug in Linux?

Please advice...

Thanks in Advance for you help

TCP Timestamps normally add around 12 bytes to the TCP header if I remember correctly, thus increasing the overhead, but it also a good idea to disable them in the system (IPv4) as they are relative to real time and a hacker could potentially figure the time since the system's last rebooted.

I don't know though how it would impact the server's performance to the point you are describing, unless the system was under attack; Did you manage to see if there were hundreds of connections to the server - something that would indicate hackers were trying to use this exploit-security hole?

Hi Chris

These are webservers, normally they would have about 1000-2000 connections. I don't see increase in number of connections....

Is there any other way to check whether these webservers were under attack?

Thanks
Mahendra