Subject: Re: kernel ip_randomid() and libc randomid(3) still "broken"
To: None <abuse@spamalicious.com>
From: Jun-ichiro itojun Hagino <itojun@itojun.org>
List: tech-net
Date: 11/27/2003 15:50:01
> On Thursday 27 November 2003 04:32 am, Jun-ichiro itojun Hagino wrote:
> > > >        have you experienced the scenario in reality, ever?
> > >
> > > You mean as opposed to *actual* threats to linear IP ids, which
> > > AFAIK nobody has yet cited in this discussion?
> >
> > 	ok, try this page.  google is so useful.
> > 	http://www.linuxfocus.org/English/March2003/article282.meta.shtml
> 
> That article doesn't even mention IP ID spoofing.  The closest it gets is DNS 
> ID spoofing, which is a completely different issue.
> 
> Do you, or do you not, have a reference on this?

http://www.google.com/search?q=fragment+id+prediction+attack&hl=en&lr=&ie=UTF-8&oe=utf-8&c2coff=1&start=50&sa=N

	there are papers on IDS which talks about fragment ID anomaly and stuff.
	there are so many of these.  i'll let you know if i find code for
	script kiddies or something alike.

	even without a reference, can't you even guess that with predictable
	fragment ID it is easier to mount DoS attack against the victim traffic
	(just send in bogus fragment with matching fragment ID, and reassembly
	will fail).

itojun