HPE Community
Operating System - HP-UX
1822896 Members
3668 Online
109645 Solutions
New Discussion юеВ

Non-random ip id's

 
SOLVED
Go to solution
Peter Gillis
Super Advisor

тАО11-16-2003 03:50 PM

тАО11-16-2003 03:50 PM

Non-random ip id's

After running a network vulnerability scan on our system we have a message returned that indicates it is possible to predict the next
value of the ip_id field of the ip packets sent by this host.

Anyone suggest how we can cause random values for ip-ids in ip packets to be the norm?

We are running ux11.0 op system.

thanks
Maria

0 Kudos
Reply
6 REPLIES 6
Tony Horton
Frequent Advisor

тАО11-16-2003 07:17 PM

тАО11-16-2003 07:17 PM

Re: Non-random ip id's

I assume we are talking about the initial sequence numbers here. I thought that HP-UX was actually very good in that respect, I'm pretty sure I've done a scan on our 11.0 box and that it came up as completely random (I can't remember if that was using nmap or nessus)...... Maybe you should check your ARPA patch levels, it could be that it was bad, but HP have released a patch to fix it.

Regards,

Tony.
No man is an isthmus
0 Kudos
Reply
Keith Buck
Respected Contributor

тАО11-18-2003 12:15 AM

тАО11-18-2003 12:15 AM

Solution

Re: Non-random ip id's

Here is the security bulletin archive:

http://www1.itrc.hp.com/service/cki/secBullArchive.do

Check out bulletin 205. You'l want at least patch PHNE_26771, which then gives you a choice of "HP randomization" or RFC1948 randomization.

-Keith
Reply
Mark Greene_1
Honored Contributor

тАО11-18-2003 12:59 AM

тАО11-18-2003 12:59 AM

Re: Non-random ip id's

This is a known issue. Two years ago someone did a study of IP sequence numbers, and then redid the same study a year later to gauge how vendors addressed the problem.

Results for HP from the second study can be seen here:

http://lcamtuf.coredump.cx/newtcp/#hpux

Apply the patch and follow the instructions to activate the change and you should be all set.

mark
the future will be a lot like now, only later
Reply
rick jones
Honored Contributor

тАО11-18-2003 05:53 AM

тАО11-18-2003 05:53 AM

Re: Non-random ip id's

at the risk of showing my ignorance, what is the perceived security threat with a non random IP datagram ID? (I'm not talking about TCP ISN, but IP datagram ID here)
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
Mark Greene_1
Honored Contributor

тАО11-18-2003 05:59 AM

тАО11-18-2003 05:59 AM

Re: Non-random ip id's

rick,

see here for one man's take on the risks:

http://lcamtuf.coredump.cx/newtcp/#risks

mark
the future will be a lot like now, only later
0 Kudos
Reply
rick jones
Honored Contributor

тАО11-19-2003 11:29 AM

тАО11-19-2003 11:29 AM

Re: Non-random ip id's

mark -

thanks for the pointer - perhaps I dind't read far enough, but the first bit there seemed to be concerned only with TCP sequence numbers and spoofed IP addresses and didn't say anything about IP datagram IDs, which to the best of my knowledge are used only in IP fragment reassembly.

i suppose that one might argue that an attacker might then be able to "insert" replacement IP datagram fragments in the middle of a fragmented IP datagram, but that seems very remote as the chances of being able to put something useful there that still passes the TCP (which avoids fragmentation) or UDP checksum seems remote at best.
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.