[CentOS] UDP Constant IP Identification Field Fingerprinting Vulnerability

Fri Jun 24 16:20:12 UTC 2016
James B. Byrne <byrnejb at harte-lyne.ca>

We received a notice from our pci-dss auditors respecting this:

CVE-2002-0510 The UDP implementation in Linux 2.4.x kernels keeps the
IP Identification field at 0 for all non-fragmented packets, which
could allow remote attackers to determine that a target system is
running Linux.

The NVD entry for which contains this note:

 CHANGE> [Cox changed vote from REVIEWING to NOOP]
 Cox> So I asked some kernel guys about this - it's not considered
   an issue.  There are several other ways to identify Linux on
   the wire and people who care about this kind of thing rewrite
   their packets in various ways via firewall technology to trick
   the identifier programs.

So, what packet mangling may be done in iptables to solve this without
breaking udp transmission? I take it that we are talking about
something in the prerouting chain but what kind of mangelling is safe?
Is there an example somewhere?

***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3