From owner-freebsd-security  Thu Apr 12  1:17:11 2001
Delivered-To: freebsd-security@freebsd.org
Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42])
	by hub.freebsd.org (Postfix) with ESMTP id 9970737B53A
	for <freebsd-security@FreeBSD.ORG>; Thu, 12 Apr 2001 01:17:02 -0700 (PDT)
	(envelope-from avalon@caligula.anu.edu.au)
Received: (from avalon@localhost)
	by caligula.anu.edu.au (8.9.3/8.9.3) id SAA09404;
	Thu, 12 Apr 2001 18:16:48 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200104120816.SAA09404@caligula.anu.edu.au>
Subject: Re: non-random IP IDs
To: silby@silby.com (Mike Silbersack)
Date: Thu, 12 Apr 2001 18:16:48 +1000 (Australia/ACT)
Cc: newsletter@marktroberts.com (Mark T Roberts),
	freebsd-security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.4.31.0104120035120.2153-100000@achilles.silby.com> from "Mike Silbersack" at Apr 12, 2001 12:40:32 AM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from Mike Silbersack, sie said:
> 
> 
> On Thu, 12 Apr 2001, Mark T Roberts wrote:
> 
> > The other night I did a nessus security scan on my freeBSD box and I got the
> > following warning.  I am hopping someone on this mailing list can give me a
> > better idea what this warning means.
> >
> > Thanks
> > Mark
> >
> > NESSUS Warning...
> > The remote host uses non-random IP IDs, that is, it is
> > possible to predict the next value of the ip_id field of
> > the ip packets sent by this host.
> 
> Each IP packet sent has with it a 16-bit ID.  The numbers must remain
> unique over a short period of time so fragmentation can work properly.  As
> such, everything except recent openbsds simple increments the id by 1 for
> each packet sent out.
> 
> As a result, you can tell the number of packets sent on an idle host by
> seeing the difference in id numbers for the packets it sends back to you.
> It's not really that important of an issue, don't worry about it.

Except when said idle host is behind a firewall, you can gauge, with a
better amount of surety, if the firewall is dropping packets vs packets
just being lost on the 'net.

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message