On Thursday 27 November 2003 06:50 am, Jun-ichiro itojun Hagino wrote:
> > On Thursday 27 November 2003 04:32 am, Jun-ichiro itojun Hagino wrote:
> > > > >        have you experienced the scenario in reality, ever?
> > > >
> > > > You mean as opposed to *actual* threats to linear IP ids, which
> > > > AFAIK nobody has yet cited in this discussion?
> > >
> > > 	ok, try this page.  google is so useful.
> > > 	http://www.linuxfocus.org/English/March2003/article282.meta.shtml
> >
> > That article doesn't even mention IP ID spoofing.  The closest it gets is
> > DNS ID spoofing, which is a completely different issue.
> >
> > Do you, or do you not, have a reference on this?
>
> http://www.google.com/search?q=fragment+id+prediction+attack&hl=en&lr=&ie=U
>TF-8&oe=utf-8&c2coff=1&start=50&sa=N
>
> 	there are papers on IDS which talks about fragment ID anomaly and stuff.
> 	there are so many of these.  i'll let you know if i find code for
> 	script kiddies or something alike.

I looked through a bunch of the hits, and NONE of the ones I looked at showed 
any such attack.  Most of them were actually about TCP ISS prediction.  "Try 
again."

> 	even without a reference, can't you even guess that with predictable
> 	fragment ID it is easier to mount DoS attack against the victim traffic
> 	(just send in bogus fragment with matching fragment ID, and reassembly
> 	will fail).

Actually, the worst you could do against a properly working implementation is 
to cause reassembly to succeed *with the wrong data*, which is no worse than 
spoofing an entire packet, though it may be easier in the case where you can 
probe the current ID but not see the actual traffic.  The Solaris approach 
solves this problem without adding the kind of per-packet overhead that the 
PRNG does, and without shortening the cycle, by preventing you from remotely 
probing the ID.