Sequential/incremental IPID in Windows IP stack
From: Jannie Hanekom (jannie.hanekom_at_opendev.net)
Date: 05/14/04
- Previous message: Kevan Smith: "RE: Relative Security Provided by Cached Domain Credentials?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 14 May 2004 11:35:09 +0100 To: <focus-ms@securityfocus.com>
Hi
In a recent security audit of a public server it was pointed out to me
that
the Windows IP stack implements sequential IPID numbers, something I've
been
vaguely aware of before but never investigated in-depth. This makes
possible a
number of interesting things, such as OS fingerprinting, estimates of IP
traffic volumes and (possibly) making your server available as a zombie
for
Idlescans (http://www.insecure.org/nmap/idlescan.html).
While I can find quite a lot of info on what Idlescans are and how they
work, as well as hints that there may be vulnerabilities other than the
above hidden in sequential IPID numbers, I can find little to no
information
on whether it is possible to "fix" this on Windows machines other than
petitioning MS to change the stack.
So I have two questions coming out of this:
* Is there anything I can do in addition to the usual stateful
firewalling
and ingress/egress filtering?
* Is anyone aware of IPID vulnerabilities other than the ones mentioned
above?
Any feedback appreciated.
Jan
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Kevan Smith: "RE: Relative Security Provided by Cached Domain Credentials?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
