Home > CAPEC List > CAPEC-317: IP ID Sequencing Probe (Version 2.11)  

CAPEC-317: IP ID Sequencing Probe

IP ID Sequencing Probe
Definition in a New Window Definition in a New Window
Attack Pattern ID: 317
Abstraction: Detailed
Status: Stable
Completeness: Complete
Presentation Filter:
+ Summary

This OS fingerprinting probe analyzes the IP 'ID' field sequence number generation algorithm of a remote host. Operating systems generate IP 'ID' numbers differently, allowing an attacker to identify the operating system of the host by examining how is assigns ID numbers when generating response packets. RFC 791 does not specify how ID numbers are chosen or their ranges, so ID sequence generation differs from implementation to implementation. There are two kinds of IP 'ID' sequence number analysis:

  • 1. IP 'ID' Sequencing: Analyzing the IP 'ID' sequence generation algorithm for one protocol used by a host.
  • 2. Shared IP 'ID' Sequencing: Analyzing the packet ordering via IP 'ID' values spanning multiple protocols, such as between ICMP and TCP.
+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Network Layer

Target Attack Surface Localities


Target Attack Surface Types: Host

Target Functional Services

Target Functional Service 1: None
Protocol 1: ICMP
Protocol Header 1: IP Header
Protocol Field NameProtocol Field Description
The Identifier field 'ID' is a 16 bit field used for fragment reassembly.
Related Protocol: Internet Control Messaging Protocol
Relationship Type
Uses Protocol
Related Protocol: Transmission Control Protocol
Relationship Type
Uses Protocol
Related Protocol: User Datagram Protocol
Relationship Type
Uses Protocol
Related Protocol: IP Datagram Reassembly Algorithms
Relationship Type
Uses Protocol
Related Protocol: Path MTU Discovery
Relationship Type
Uses Protocol
+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: Medium

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Read application data
Bypass protection mechanism
Hide activities
+ References
[R.317.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.
[R.317.2] [REF-21] Defense Advanced Research Projects Agency Information Processing Techniques Office and Information Sciences Institute University of Southern California. "RFC793 - Transmission Control Protocol". Defense Advanced Research Projects Agency (DARPA). September 1981. <http://www.faqs.org/rfcs/rfc793.html>.
[R.317.3] [REF-22] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Chapter 8. Remote OS Detection. 3rd "Zero Day" Edition,. Insecure.com LLC. 2008.
[R.317.4] [REF-10] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://www.phrack.org/issues.html?issue=51&id=11#article>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Attack_Motivation-Consequences, Related_Attack_Patterns, Typical_Likelihood_of_ExploitInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017