1. IP-ID

Fun with IP Identification Field Values (Identifying Older MS Based OSs)

Date: Sat, 5 May 2001 23:21:55 -0700 https://seclists.org/bugtraq/2001/May/44


1.1. Linux

https://superuser.com/questions/569444/what-kind-of-methods-are-used-to-calculate-ip-id-fields

The sequence number (see RFC 6528) should be unguessable for somebody that doesn't have access to the data stream (some attacks, notably the famous one by Mitnick, are based on guessing it and impersonating the counterpart).

That is why Linux uses a true random number here.

Other operating systems are much sloppier, nmap checks how carefully they do it (and probably includes an extensive database on how systems do it).

That there isn't a reliable source of random numbers is specially troubling in machines like WiFi routers.

(Yes, this sort of vulnerability has been known and been warned against since the very first versions of TCP; yes, in their infinite lazyness many operating system/network stack writers just used a fixed one, or incremented it regularly, or something equally "intelligent", mostly for the sake of "performance".)


https://pdfs.semanticscholar.org/2b64/6e8cd3a94239d3f473062900bde801808272.pdf

A closer look at IP-ID behavior in the Wild

Flavia Salutari, Danilo Cicalese, and Dario J. RossiTelecom ParisTech, Paris, France –first.last@telecom-paristech.fr

Abstract.

Originally used to assist network-layer fragmentation andreassembly, the IP identification field (IP-ID) has been used and abusedfor a range of tasks, from counting hosts behind NAT, to detect routeraliases and, lately, to assist detection of censorship in the Internet atlarge.

These inferences have been possible since, in the past, the IP-ID was mostly implemented as a simple packet counter: however, thisbehavior has been discouraged for security reasons and other policies, such as random values, have been suggested.

In this study, we propose a framework to classify the different IP-ID be-haviors using active probing from a single host.

Despite being only mini-mally intrusive, our technique is significantly accurate (99% true positiveclassification) robust against packet losses (up to 20%) and lightweight(few packets suffices to discriminate all IP-ID behaviors).

We then apply our technique to an Internet-wide census, where we actively probe onealive target per each routable /24 subnet:

we find that that the majorityof hosts adopts a constant IP-IDs (39%) or local counter (34%), that the fraction of global counters (18%) significantly diminished, that a non marginal number of hosts have an odd behavior (7%) and that randomIP-IDs are still an exception (2%).