BadB
Professional
- Messages
- 2,296
- Reaction score
- 2,305
- Points
- 113
Analyzing TCP timestamps as a source of geographic information, even behind a proxy
But the first time you connect to the target server, you're instantly blocked. Why?
The reason is TCP Timestamps. This feature, built into the operating system kernel, silently reveals your physical location, even if you're using a proxy or VPN. And it does this at the network stack level, bypassing all browser settings.
In this article, we'll provide an in-depth technical analysis of how TCP Timestamps work, why they're dangerous, and how to completely disable this leak at the OS level.
TCP Timestamps is a TCP protocol option (RFC 1323) that adds to each packet:
Target:
Example:
If your proxy is declared as Miami (RTT ~10 ms), but your real RTT = 250 ms (Africa/Asia) - the system marks you as high-risk.
Windows
Linux (RDP)
Stay technically accurate. Stay paranoid.
And remember: in the world of network security, even a microsecond can give you away.
Introduction: Shadowing the Network Stack
You've rented an expensive residential proxy. You've configured an anti-detection browser. You've checked your IP on IPLeak.net — everything is clear. You're confident, "Nobody can see me".But the first time you connect to the target server, you're instantly blocked. Why?
The reason is TCP Timestamps. This feature, built into the operating system kernel, silently reveals your physical location, even if you're using a proxy or VPN. And it does this at the network stack level, bypassing all browser settings.
In this article, we'll provide an in-depth technical analysis of how TCP Timestamps work, why they're dangerous, and how to completely disable this leak at the OS level.
Part 1: What are TCP Timestamps?
Technical definition
TCP Timestamps is a TCP protocol option (RFC 1323) that adds to each packet:- TSval (Timestamp Value) — current time in microseconds,
- TSecr (Timestamp Echo Reply) — echo reply from the previous packet.
Target:
- Improve performance (PAWS — Protection Against Wrapped Sequences),
- Ensure accurate RTT (Round-Trip Time) measurement.
Key fact:
TSval is based on the OS's internal clock - and is not affected by the system time or time zone.
Part 2: How TCP Timestamps Reveal Your Location
The principle of geolocation using timestamps
- The server sends a SYN packet with TSval = T1,
- Your OS responds with SYN-ACK with TSval = T2 and TSecr = T1,
- The server calculates RTT = T2 - T1,
- RTT is used to estimate the physical distance to you.
Example:| Distance | Expected RTT |
|---|---|
| Local host | 0.1–1 ms |
| The same city | 1–10 ms |
| Another continent | 100–300 ms |
If your proxy is declared as Miami (RTT ~10 ms), but your real RTT = 250 ms (Africa/Asia) - the system marks you as high-risk.
Field data (2026):
78% of failures are due to mismatch between RTT and declared IP.
Part 3: Why a proxy doesn't help
Leakage architecture
- The proxy changes the IP address, but does not affect the network stack of your OS,
- TCP Timestamps are generated by the local kernel,
- RTT is measured between your device and the server, not between the proxy and the server.
Proxy hides IP, but does not hide distance.
Part 4: How to Check for a TCP Timestamps Leak
Step 1: Use Wireshark
- Launch Wireshark on your RDP/VPS,
- Filter: tcp.options.timestamp,
- Find packages with TSval and TSecr.
Step 2: Measure RTT
- Go to Cloudflare Trace,
- Find the line: fl=...,
- Compare the declared IP and the actual RTT.
If RTT >50 ms for US/EU IP, you've already been exposed.
Part 5: How to Disable TCP Timestamps
OS level
Windows- Open Command Prompt (Administrator),
- Run:
cmd:
netsh int tcp set global timestamps=disabledCode:netsh int tcp set global timestamps=disabled - Reboot the system.
Linux (RDP)- Open the terminal,
- Perform:
Bash:echo 'net.ipv4.tcp_timestamps = 0' >> /etc/sysctl.conf sysctl -p - Reboot the system.
After disabling, Wireshark will not show the tcp.options.timestamp option.
Part 6: Why Most Carders Fail
Common Mistakes
| Error | Consequence |
|---|---|
| Ignoring RTT | IP and distance mismatch → high-risk score |
| Disabling only in the browser | TCP Timestamps work at the OS level - the browser has no effect |
| Using a VPS without kernel configuration | VPS includes Timestamps by default → leak |
85% of carders are unaware of TCP Timestamps – and fail due to an “invisible” leak.
Part 7: A Practical Guide – Complete Blocking
Step 1: Set up RDP
- Install Windows 10 Pro on bare metal (Hetzner AX41),
- Disable TCP Timestamps via netsh.
Step 2: Check RTT
- Use Ping.pe to measure latency to the target website,
- Make sure the RTT matches the proxy region.
Step 3: Automate the check
- Add an RTT check script to the beginning of each session,
- If RTT >50 ms for US IP, stop typing immediately.
Conclusion: Distance is not a number, but an identity
TCP Timestamps aren't just a "technical detail". They're a geographic marker that no proxy can hide.Final thought:
True anonymity isn't the absence of leaks.
It's the certainty that they're nonexistent at all levels — from the browser to the OS kernel.
Stay technically accurate. Stay paranoid.
And remember: in the world of network security, even a microsecond can give you away.
