Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 08-18-2004, 01:37 AM   #1
Senior Member
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
Angry Nessus reports non-random IP ID on Fedora Core 2

After a very long time, I decided to point the nessus scanners on my system... I was surprised to see nessus come up with this ..

Warning general/tcp
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine traffic patterns
within your network. A few examples (not at all exhaustive) are:
1. A remote attacker can determine if the remote host sent a packet
in reply to another request. Specifically, an attacker can use your
server as an unwilling participant in a blind portscan of another
2. A remote attacker can roughly determine server requests at certain
times of the day. For instance, if the server is sending much more
traffic after business hours, the server may be a reverse proxy or
other remote access device. An attacker can use this information to
concentrate his/her efforts on the more critical machines.
3. A remote attacker can roughly estimate the number of requests that
a web server processes over a period of time.
Solution : Contact your vendor for a patch
Risk factor : Low
Nessus ID : 10201
I scanned a RH9 system and nessus did not detect this problem.
Scanned Win2K and this problem was detected.
Unfortunately I do not have a FC1 on my network.
Scanned Slackware 10 (2.4 kernel) and it did not come up with this problem.

did some "googling" and found some SuSE reports dated 2001.

Is this problem new to 2.6 kernels?

My config is FC2, all patches current ( upto the minute )

Update 01:
Found a FC1 upgraded to FC2 ... still running the 2.4 kernel and nessus did not report the above problem.

Update 02:
Ignore update 01. IPtables was running on the scanned system. The kernel was 2.6.5. Scanned again after disabling iptables. Surprisingly the "non-random IP ID" problem was not detected.

Update 03:
Scanned another FC2 system running 2.6.6 kernel and this problem was not detected.

Update 04:
Upgraded a FC2 system to latest kernel 2.6.7 and this problem was not detected.
Something to do with my system???

Last edited by ppuru; 08-18-2004 at 03:38 AM.
Old 08-18-2004, 09:05 AM   #2
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I observed this behavior as well. I'm not sure if there is a bug in Nessus or truely a problem with Fedora's TCP/IP stack. I was going to re-run the Nessus check with only that test this weekend and try and get a tcpdump of the session in order to see if the IP ID's are truely non-random. If you want to do it, I'd be interested to see the output. Probably can get a bug report out of it.
Old 08-18-2004, 11:59 PM   #3
Senior Member
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Original Poster
Rep: Reputation: 50
Some more information:

Nessus version 2.0.12
Nessusd running on Slackware 10 kernel2.4 (patches current).

My system has no listening processes. (cups listening only on local interface).
Am running Folding@home (FAH) client, Mozilla, Firefox,Evolution, Gnome, cifs mounted WinShares, gaim ...

I will run another nessus test after stopping the FAH client (once it finishes it current task).

Last edited by ppuru; 08-19-2004 at 12:27 AM.
Old 08-19-2004, 11:09 PM   #4
Senior Member
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Original Poster
Rep: Reputation: 50
as I had expected, running a nessus scan without FAH Client running didn't make any difference. Nessus still reports non-random IP IDs ... only on my FC2 ... perhaps I need to get another FC2 ready, bring it up to the current patch level and run a scan on it.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Advice: Random segmentation faults - Fedora core 3 U4ea Linux - Software 2 10-07-2005 07:52 AM
Fedora Core 4; Random Video Issues? Clumsy Fedora 2 08-13-2005 01:48 PM
More random questions about Fedora Core from an ex-Windows user Ebisu_Dave Linux - Newbie 9 07-14-2005 08:35 AM
Fedora Core 3 and Nessus Failed Deps terminaljunkie Fedora 4 05-08-2005 06:24 AM
Fedora Core 2 random Screensaver Rotation harley51 Fedora 1 05-31-2004 08:26 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:05 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration