After a very long time, I decided to point the nessus scanners on my system... I was surprised to see nessus come up with this ..
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine traffic patterns
within your network. A few examples (not at all exhaustive) are:
1. A remote attacker can determine if the remote host sent a packet
in reply to another request. Specifically, an attacker can use your
server as an unwilling participant in a blind portscan of another
2. A remote attacker can roughly determine server requests at certain
times of the day. For instance, if the server is sending much more
traffic after business hours, the server may be a reverse proxy or
other remote access device. An attacker can use this information to
concentrate his/her efforts on the more critical machines.
3. A remote attacker can roughly estimate the number of requests that
a web server processes over a period of time.
Solution : Contact your vendor for a patch
Risk factor : Low
Nessus ID : 10201
I scanned a RH9 system and nessus did not detect this problem.
Scanned Win2K and this problem was detected.
Unfortunately I do not have a FC1 on my network.
Scanned Slackware 10 (2.4 kernel) and it did not come up with this problem.
did some "googling" and found some SuSE reports dated 2001.
Is this problem new to 2.6 kernels?
My config is FC2, all patches current ( upto the minute
Found a FC1 upgraded to FC2 ... still running the 2.4 kernel and nessus did not report the above problem.
Ignore update 01. IPtables was running on the scanned system. The kernel was 2.6.5. Scanned again after disabling iptables. Surprisingly the "non-random IP ID" problem was not detected.
Scanned another FC2 system running 2.6.6 kernel and this problem was not detected.
Upgraded a FC2 system to latest kernel 2.6.7 and this problem was not detected.
Something to do with my system???