netdev
[Top] [All Lists]

Re: IP-ID field of ICMP echo request

To: Kohei OHTA <kohei@xxxxxxxxxx>
Subject: Re: IP-ID field of ICMP echo request
From: Ulisses <ra993482@xxxxxxxxxxxxx>
Date: 07 Jul 2003 15:40:36 -0300
Cc: netdev@xxxxxxxxxxx
In-reply-to: <3F095B7B.5090203@cysols.com>
References: <3F095B7B.5090203@cysols.com>
Sender: netdev-bounce@xxxxxxxxxxx
On Mon, 2003-07-07 at 08:37, Kohei OHTA wrote:

> I found a strange packet, which is generated by ping of Linux.
> It is observed ID field of IP header in ping packet (Echo request) is always 
> 0.
> 
> I confirmed this on kernel 2.4.18 and 2.4.21.
> My colleague also confirmed this is fixed in kernel 2.5.74.
> 
> I hope this is fixed in next next 2.4.x release.

Hi, Kohei,

        I guess this behaviour is to prevent Idle scanning, that is based on
predictable IPID numbers [1]. Therefore, the Linux TCP/IP stack uses 0
as IPID when the DF (Don't Fragment) bit is set. I'm not sure, but I
think that Linux also uses peer-specific IPID numbers to make the
prediction harder.

-- Ulisses

[1] http://www.insecure.org/nmap/idlescan.html



<Prev in Thread] Current Thread [Next in Thread>