Date: Wed, 11 Apr 2001 23:08:41 -0700 From: Mike Allen <mikeallen99@home.com> To: Mike Silbersack <silby@silby.com> Cc: Mark T Roberts <newsletter@marktroberts.com>, freebsd-security@FreeBSD.ORG Subject: Re: non-random IP IDs Message-ID: <3AD54669.EEF91A5C@home.com> References: <Pine.BSF.4.31.0104120035120.2153-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Predictible IP ID numbers can be used by an attacker to hijack your
session causing the following effects:
1. The successful attacker can 'take over' your session and
do anything he/she wants to do with your files. No log
will show anything unusual. The user only sees a momentary
'glitch' or retransmission error and may have to log in
again but will usually ignore such errors.
2. Security measures are generally ineffective against this attack.
Whatever you may do regarding passwords is effectively bypassed
because the attack begins after you have already been
authenticated. Encrypted sessions can be a successful
counter-measure along with encrypted files.
As a Unix System Admin, I discovered this attack on a user's files by
comparing login times and durations and the user's unusual work
schedule.
Mike Allen
Independent Consultant
Mike Silbersack wrote:
>
> On Thu, 12 Apr 2001, Mark T Roberts wrote:
>
> > The other night I did a nessus security scan on my freeBSD box and I got the
> > following warning. I am hopping someone on this mailing list can give me a
> > better idea what this warning means.
> >
> > Thanks
> > Mark
> >
> > NESSUS Warning...
> > The remote host uses non-random IP IDs, that is, it is
> > possible to predict the next value of the ip_id field of
> > the ip packets sent by this host.
>
> Each IP packet sent has with it a 16-bit ID. The numbers must remain
> unique over a short period of time so fragmentation can work properly. As
> such, everything except recent openbsds simple increments the id by 1 for
> each packet sent out.
>
> As a result, you can tell the number of packets sent on an idle host by
> seeing the difference in id numbers for the packets it sends back to you.
> It's not really that important of an issue, don't worry about it.
>
> Mike "Silby" Silbersack
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AD54669.EEF91A5C>