Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 24 Sep 2009 09:21:21 -0400
From:      Steve Bertrand <steve@ibctech.ca>
To:        "B. Cook" <bcook@poughkeepsieschools.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: net.inet.ip.random_id possible ASA problems?
Message-ID:  <4ABB7251.4060004@ibctech.ca>
In-Reply-To: <4ABB679D.7030604@poughkeepsieschools.org>
References:  <4ABB679D.7030604@poughkeepsieschools.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
B. Cook wrote:

[ big snip ]

> So after 6 hours of cisco techs.. all they could come up with is a "...
> possible duplex mis-match.. "
> 
> *sigh*
> 
> So dropping my pf rules (which contain scrub settings) made no
> difference, I found the above URL which seeme to point to
> net.inet.ip.random_id.
> 
> I can not find any 'freebsd.org' documentation pertaining to it
> regarding what it actually does.  I do however find it scattered amongst
> tons of 'FreeBSD hardening' docs..
> 
> Can anyone shed some light on what this does?

IIRC, random_id allows initial TCP sequence numbers to be randomized.

Some OS sequence TCP packets in an incremental fashion, thereby making
it quite easy for an attacker using a TCP Idle Scan to hijack a session,
and extremely easy while the box is under very light network load.

https://www.kb.cert.org/vuls/id/498440

I've never seen this setting cause any detriment, but we only use Cisco
routers, not ASA's. AFAIK, random_id is off by default.

It would be rather handy if they would provide you with some of the
ASA's config snips, and perhaps interface counts and logs.

You may also want to capture a pcap on the 'problematic' box to see if
you can find anything interesting:

# tcpdump -n -i em0 -s 0 -w /home/steve/packet-cap.pcap

Steve

[-- Attachment #2 --]
0	*H
010	+0	*H
00CK9AbxIUw0
	*H
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
090507231610Z
100507231610Z0B10UThawte Freemail Member10	*H
	steve@ibctech.ca0"0
	*H
0
DZ杙<2IⵀfrsE6q?0.>
S@Œ!V?A\Q
r-aZ
Ōf/0{OYQhɏߴ
F_\Q0BF=<_.a*3epeY|tݼcvlҷ+@piQA{2E9WN4[Z`h6VM/zPbd(GC^K6XV4j<t-0+0U0steve@ibctech.ca0U00
	*H
æ|85aQz-*3HG		.s*Fw*`HvFw;9ytƘn0taC/:WC+LÙ{Oq 1n00CK9AbxIUw0
	*H
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
090507231610Z
100507231610Z0B10UThawte Freemail Member10	*H
	steve@ibctech.ca0"0
	*H
0
DZ杙<2IⵀfrsE6q?0.>
S@Œ!V?A\Q
r-aZ
Ōf/0{OYQhɏߴ
F_\Q0BF=<_.a*3epeY|tݼcvlҷ+@piQA{2E9WN4[Z`h6VM/zPbd(GC^K6XV4j<t-0+0U0steve@ibctech.ca0U00
	*H
æ|85aQz-*3HG		.s*Fw*`HvFw;9ytƘn0taC/:WC+LÙ{Oq 1n0?0
0
	*H
010	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*H
	personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA00
	*H
0Ħ<UsUNʙZhup[v:aQP
0cZ,p+Z?qV˯<6$*+w=+>@dקe*TH<a@dr`00U00CU<0:08642http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U0)U"0 010UPrivateLabel2-1380
	*H
HP.
fgCL!6-6/P p<ab:~t%Pb'qW%ݩ9 Oe_N4[5MwV!x!5$F]_eO1d0`0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAK9AbxIUw0	+0	*H
	1	*H
0	*H
	1
090924132121Z0#	*H
	1ފ7Ǚ1И{2R0R	*H
	1E0C0
*H
0*H
0
*H
@0+0
*H
(0	+71x0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAK9AbxIUw0*H
	1xv0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAK9AbxIUw0
	*H
2F5N]E3&~9URx-!6/$v5Hm}y\)ݪE9WߖSk}jk7JecjkU8g|ӵ,.9|$\N#͈{S#Ɨ
Z<z!WPA~y~1e8 *ѴEkޞ1DɢGT@gꆊLvSnC,C(;y
yp)t5Y

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ABB7251.4060004>