> Another obscure one in the raw table I use when I do not need or expect cell phones to hit a port and this happens because most cell phones enable TCP timestamps which usually bumps their TCP SYN length to 60. Why cell phones? Modern bot farms seem to be using many old cell phones to launch their attacks and I have no idea why.
I was pretty sure Mac OS enables TCP Timestamps by default. The only platform that doesn't tend to is Windows? AFAIK. TCP Timestamps are useful for Protection Against Wrapped Sequence numbers which is sometimes relevant, and often used to get round trip time estimates (although there's lots of other ways for that too, so IMHO, kind of a waste of bytes)
The only platform that doesn't tend to is Windows?
I believe that is correct. It is an obscure thing to even consider and prone to blocking legit systems but useful if one has Ansible scripts to enable "Threatcon Alpha" so to speak when under an attack and even then I only use that on specific ports. It's less common these days for any of my nodes to take on attacks as I mostly share my unpopular opinions here now.
Another Windows vs Linux/Mac default is the packet TTL. Linux/Mac/BSD is 64 and Windows is 128. This is only useful in TCP as it decrements in UDP but useful to see some bots that set really high TTL's. There is an IPTables module to make decisions based on TTL.
I was pretty sure Mac OS enables TCP Timestamps by default. The only platform that doesn't tend to is Windows? AFAIK. TCP Timestamps are useful for Protection Against Wrapped Sequence numbers which is sometimes relevant, and often used to get round trip time estimates (although there's lots of other ways for that too, so IMHO, kind of a waste of bytes)