From owner-freebsd-security Wed Apr 11 23: 0: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail4.sdc1.sfba.home.com (femail4.sdc1.sfba.home.com [24.0.95.84]) by hub.freebsd.org (Postfix) with ESMTP id 8BA1B37B443 for ; Wed, 11 Apr 2001 22:59:56 -0700 (PDT) (envelope-from mikeallen99@home.com) Received: from home.com ([24.10.183.89]) by femail4.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010412055710.YNLF29484.femail4.sdc1.sfba.home.com@home.com>; Wed, 11 Apr 2001 22:57:10 -0700 Message-ID: <3AD54669.EEF91A5C@home.com> Date: Wed, 11 Apr 2001 23:08:41 -0700 From: Mike Allen Organization: @Home Network X-Mailer: Mozilla 4.74 [en]C-AtHome0405 (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Mike Silbersack Cc: Mark T Roberts , freebsd-security@FreeBSD.ORG Subject: Re: non-random IP IDs References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Predictible IP ID numbers can be used by an attacker to hijack your session causing the following effects: 1. The successful attacker can 'take over' your session and do anything he/she wants to do with your files. No log will show anything unusual. The user only sees a momentary 'glitch' or retransmission error and may have to log in again but will usually ignore such errors. 2. Security measures are generally ineffective against this attack. Whatever you may do regarding passwords is effectively bypassed because the attack begins after you have already been authenticated. Encrypted sessions can be a successful counter-measure along with encrypted files. As a Unix System Admin, I discovered this attack on a user's files by comparing login times and durations and the user's unusual work schedule. Mike Allen Independent Consultant Mike Silbersack wrote: > > On Thu, 12 Apr 2001, Mark T Roberts wrote: > > > The other night I did a nessus security scan on my freeBSD box and I got the > > following warning. I am hopping someone on this mailing list can give me a > > better idea what this warning means. > > > > Thanks > > Mark > > > > NESSUS Warning... > > The remote host uses non-random IP IDs, that is, it is > > possible to predict the next value of the ip_id field of > > the ip packets sent by this host. > > Each IP packet sent has with it a 16-bit ID. The numbers must remain > unique over a short period of time so fragmentation can work properly. As > such, everything except recent openbsds simple increments the id by 1 for > each packet sent out. > > As a result, you can tell the number of packets sent on an idle host by > seeing the difference in id numbers for the packets it sends back to you. > It's not really that important of an issue, don't worry about it. > > Mike "Silby" Silbersack > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message