In a recent security audit of a public server it was pointed out to me
that
the Windows IP stack implements sequential IPID numbers, something I've
been
vaguely aware of before but never investigated in-depth. This makes
possible a
number of interesting things, such as OS fingerprinting, estimates of IP
traffic volumes and (possibly) making your server available as a zombie
for
Idlescans (http://www.insecure.org/nmap/idlescan.html).
While I can find quite a lot of info on what Idlescans are and how they
work, as well as hints that there may be vulnerabilities other than the
above hidden in sequential IPID numbers, I can find little to no
information
on whether it is possible to "fix" this on Windows machines other than
petitioning MS to change the stack.
So I have two questions coming out of this:
* Is there anything I can do in addition to the usual stateful
firewalling
and ingress/egress filtering?
* Is anyone aware of IPID vulnerabilities other than the ones mentioned
above?
In a recent security audit of a public server it was pointed out to me
that
the Windows IP stack implements sequential IPID numbers, something I've
been
vaguely aware of before but never investigated in-depth. This makes
possible a
number of interesting things, such as OS fingerprinting, estimates of IP
traffic volumes and (possibly) making your server available as a zombie
for
Idlescans (http://www.insecure.org/nmap/idlescan.html).
While I can find quite a lot of info on what Idlescans are and how they
work, as well as hints that there may be vulnerabilities other than the
above hidden in sequential IPID numbers, I can find little to no
information
on whether it is possible to "fix" this on Windows machines other than
petitioning MS to change the stack.
So I have two questions coming out of this:
* Is there anything I can do in addition to the usual stateful
firewalling
and ingress/egress filtering?
* Is anyone aware of IPID vulnerabilities other than the ones mentioned
above?
Any feedback appreciated.
Jan
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]