Subject: Re: security for netbsd as web server
To: Felix Deichmann <email@example.com>
From: Steven M. Bellovin <firstname.lastname@example.org>
Date: 03/25/2005 20:47:27
In message <email@example.com>, Felix Deichmann writes:
>Steven M. Bellovin wrote:
>>>If you are really paranoid:
>>># sysctl -w net.inet.ip.random_id=1
>> Against what threat?
>When there is only a simple IP ID increment, you can see a server's load
>by looking at the IP ID difference. ICMP echo (ping) replys are enough.
Right -- and that tells you almost nothing of use.
The real threat from IP ID games, other than those described in my
paper, is that you can use the field for "firewalking" -- trying to map
what's behind certain kinds of firewalls. But this isn't a firewall
situation -- I'm recommending a hardened host, which is a very
>Ah, now that I read the article about IP IDs in German c't magazine, I
>see that they also refer to your paper "A Technique for Counting NATted
Well, yes, I did feel I had some experience with that field....
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb