Nessus reports non-random IP ID on Fedora Core 2

ppuru · 08-18-2004, 12:37 AM

After a very long time, I decided to point the nessus scanners on my system... I was surprised to see nessus come up with this ..

Quote:

Warning general/tcp
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine traffic patterns
within your network. A few examples (not at all exhaustive) are:
1. A remote attacker can determine if the remote host sent a packet
in reply to another request. Specifically, an attacker can use your
server as an unwilling participant in a blind portscan of another
network.
2. A remote attacker can roughly determine server requests at certain
times of the day. For instance, if the server is sending much more
traffic after business hours, the server may be a reverse proxy or
other remote access device. An attacker can use this information to
concentrate his/her efforts on the more critical machines.
3. A remote attacker can roughly estimate the number of requests that
a web server processes over a period of time.
Solution : Contact your vendor for a patch
Risk factor : Low
Nessus ID : 10201

I scanned a RH9 system and nessus did not detect this problem.
Scanned Win2K and this problem was detected.
Unfortunately I do not have a FC1 on my network.
Scanned Slackware 10 (2.4 kernel) and it did not come up with this problem.

did some "googling" and found some SuSE reports dated 2001.

Is this problem new to 2.6 kernels?

My config is FC2, all patches current ( upto the minute

)

Update 01:
Found a FC1 upgraded to FC2 ... still running the 2.4 kernel and nessus did not report the above problem.

Update 02:
Ignore update 01. IPtables was running on the scanned system. The kernel was 2.6.5. Scanned again after disabling iptables. Surprisingly the "non-random IP ID" problem was not detected.

Update 03:
Scanned another FC2 system running 2.6.6 kernel and this problem was not detected.

Update 04:
Upgraded a FC2 system to latest kernel 2.6.7 and this problem was not detected.
Something to do with my system???

Capt_Caveman · 08-18-2004, 08:05 AM

I observed this behavior as well. I'm not sure if there is a bug in Nessus or truely a problem with Fedora's TCP/IP stack. I was going to re-run the Nessus check with only that test this weekend and try and get a tcpdump of the session in order to see if the IP ID's are truely non-random. If you want to do it, I'd be interested to see the output. Probably can get a bug report out of it.

ppuru · 08-18-2004, 10:59 PM

Some more information:

Nessus version 2.0.12
Nessusd running on Slackware 10 kernel2.4 (patches current).

My system has no listening processes. (cups listening only on local interface).
Am running Folding@home (FAH) client, Mozilla, Firefox,Evolution, Gnome, cifs mounted WinShares, gaim ...

I will run another nessus test after stopping the FAH client (once it finishes it current task).

ppuru · 08-19-2004, 10:09 PM

as I had expected, running a nessus scan without FAH Client running didn't make any difference. Nessus still reports non-random IP IDs ... only on my FC2 ... perhaps I need to get another FC2 ready, bring it up to the current patch level and run a scan on it.