Addressing Vulnerabilities - Presence of a Load-Balancing Device Detected
Questions:
1. Anyone have any idea how "IP Identification" is done to find the number of servers behind the load balancer?
2. What configuration can be done on the Big-IP to get rid of this vulnerability?
3. I'm no security expert - how big of a deal is this vulnerability?
Thanks,
-Funkdaddy
1 Presence of a Load-Balancing Device
Detected (5)
QID: 86189
CVSS Base: 0 [1]
Category:
Web server CVSS Temporal: -
CVE ID: -
Vendor
Reference: -
Bugtraq
ID: -
Service
Modified: 05/20/2009
User
Modified: -
Edited: No
PCI Vuln:
No
THREAT:
The
service detected a load-balancing device in front of your Web servers. This
information can provide an attacker with additional
information
about your network.
Different
techniques were used to detect the presence of a load-balancing device,
including HTTP header analysis and analysis of IP
Time-To-Live
(TTL) values, IP Identification (ID) values, and TCP Initial Sequence Numbers
(ISN). The actual technique(s) responsible for
the
detection can be seen in the Result section.
The exact
number of Web servers behind a load balancer is difficult to determine, so the
number reported here may not be accurate.
Furthermore,
Netscape Enterprise Server Version 3.6 is known to display an erroneous
"Date:" field in the HTTP header when the server
receives a
lot of requests. This makes it difficult for the service to determine if there
is a load-balancing device present by analyzing the
HTTP
headers. Also, the result given by the analysis of IP ID and TCP ISN values may
vary due to different network conditions when the
scan was
performed.
IMPACT:
By
exploiting this vulnerability, an intruder could use this information in
conjunction with other pieces of information to craft sophisticated
attacks
against your network.
Others
page 4
Note also
that if the Web servers behind the load balancer are not identical, the scan
results for the HTTP vulnerabilities may vary from one
scan to
another.
SOLUTION:
To prevent
the detection of the presence of a load-balancing device based on HTTP header
analysis, you should use
Network-Time-Protocol
(NTP) to synchronize the clocks on all of your hosts (at least those in the
DMZ).
To prevent
detection by analyzing IP TTL values, IP ID values, and TCP ISN values, you may
use hosts with a TCP/IP implementation that
generates
randomized numbers for these values. However, most operating systems available
today do not come with such a TCP/IP
implementation.
xxx.xx.xx.54 (extranet.xyz.com, -) F5
Networks Big-IP port 443/tcp over SSL
RESULTS:
Number of
web servers behind load balancer:
3 - based
on IP Identification values
xxx.xx.xx.103 (wpress.xxx.com, -) F5
Networks Big-IP port 443/tcp over SSL
RESULTS:
Number of
web servers behind load balancer:
4 - based on IP Identification values