LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-18-2004, 12:37 AM   #1
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
Angry Nessus reports non-random IP ID on Fedora Core 2


After a very long time, I decided to point the nessus scanners on my system... I was surprised to see nessus come up with this ..

Quote:
Warning general/tcp
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine traffic patterns
within your network. A few examples (not at all exhaustive) are:
1. A remote attacker can determine if the remote host sent a packet
in reply to another request. Specifically, an attacker can use your
server as an unwilling participant in a blind portscan of another
network.
2. A remote attacker can roughly determine server requests at certain
times of the day. For instance, if the server is sending much more
traffic after business hours, the server may be a reverse proxy or
other remote access device. An attacker can use this information to
concentrate his/her efforts on the more critical machines.
3. A remote attacker can roughly estimate the number of requests that
a web server processes over a period of time.
Solution : Contact your vendor for a patch
Risk factor : Low
Nessus ID : 10201
I scanned a RH9 system and nessus did not detect this problem.
Scanned Win2K and this problem was detected.
Unfortunately I do not have a FC1 on my network.
Scanned Slackware 10 (2.4 kernel) and it did not come up with this problem.

did some "googling" and found some SuSE reports dated 2001.

Is this problem new to 2.6 kernels?

My config is FC2, all patches current ( upto the minute )

Update 01:
Found a FC1 upgraded to FC2 ... still running the 2.4 kernel and nessus did not report the above problem.

Update 02:
Ignore update 01. IPtables was running on the scanned system. The kernel was 2.6.5. Scanned again after disabling iptables. Surprisingly the "non-random IP ID" problem was not detected.

Update 03:
Scanned another FC2 system running 2.6.6 kernel and this problem was not detected.

Update 04:
Upgraded a FC2 system to latest kernel 2.6.7 and this problem was not detected.
Something to do with my system???


Last edited by ppuru; 08-18-2004 at 02:38 AM.
 
Old 08-18-2004, 08:05 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I observed this behavior as well. I'm not sure if there is a bug in Nessus or truely a problem with Fedora's TCP/IP stack. I was going to re-run the Nessus check with only that test this weekend and try and get a tcpdump of the session in order to see if the IP ID's are truely non-random. If you want to do it, I'd be interested to see the output. Probably can get a bug report out of it.
 
Old 08-18-2004, 10:59 PM   #3
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Original Poster
Rep: Reputation: 46
Some more information:

Nessus version 2.0.12
Nessusd running on Slackware 10 kernel2.4 (patches current).

My system has no listening processes. (cups listening only on local interface).
Am running Folding@home (FAH) client, Mozilla, Firefox,Evolution, Gnome, cifs mounted WinShares, gaim ...

I will run another nessus test after stopping the FAH client (once it finishes it current task).



Last edited by ppuru; 08-18-2004 at 11:27 PM.
 
Old 08-19-2004, 10:09 PM   #4
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Original Poster
Rep: Reputation: 46
as I had expected, running a nessus scan without FAH Client running didn't make any difference. Nessus still reports non-random IP IDs ... only on my FC2 ... perhaps I need to get another FC2 ready, bring it up to the current patch level and run a scan on it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Advice: Random segmentation faults - Fedora core 3 U4ea Linux - Software 2 10-07-2005 06:52 AM
Fedora Core 4; Random Video Issues? Clumsy Fedora 2 08-13-2005 12:48 PM
More random questions about Fedora Core from an ex-Windows user Ebisu_Dave Linux - Newbie 9 07-14-2005 07:35 AM
Fedora Core 3 and Nessus Failed Deps terminaljunkie Fedora 4 05-08-2005 05:24 AM
Fedora Core 2 random Screensaver Rotation harley51 Fedora 1 05-31-2004 07:26 PM


All times are GMT -5. The time now is 01:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration