[CentOS] UDP Constant IP Identification Field Fingerprinting Vulnerability

Mon Jun 27 16:29:43 UTC 2016
Gordon Messmer <gordon.messmer at gmail.com>

On 06/26/2016 01:50 PM, James B. Byrne wrote:
> However, all I am seeking is knowledge on how to handle this using
> iptables.  I am sure that this defect/anomaly has already been solved
> wherever it is an issue.  Does anyone have an example on how to do
> this?


I think the bit you're missing is that you don't have to address every 
detail that your auditors send you.  You can label an item a false 
positive.  You can respond that you are aware, and that you don't 
consider an item to be a security defect.  Fingerprinting is an 
excellent example thereof.  As was already noted, the IP ID field is 
just one of many aspects of IP networking that can be used to identify 
Linux systems.  If you don't address them all, addressing one is not a 
useful exercise.

Still, if you enjoy jumping through hoops, there used to be a few 
options to do this:

https://nmap.org/misc/defeat-nmap-osdetect.html

The comment you quoted did not say that the field could be mangled by 
iptables, and as far as I can tell, no module is available to mangle 
that field.

http://www.iptables.info/en/structure-of-iptables.html#MANGLETABLE

And if none of those are acceptable, then consider upgrading to a newer 
system.  Fyodor says that recent versions of Linux no longer behave this 
way.

http://seclists.org/bugtraq/2002/Mar/372