Forum Discussion
Addressing Vulnerabilities - Presence of a Load-Balancing Device Detected
Questions:
1. Anyone have any idea how "IP Identification" is done to find the number of servers behind the load balancer?
2. What configuration can be done on the Big-IP to get rid of this vulnerability?
3. I'm no security expert - how big of a deal is this vulnerability?
Thanks,
-Funkdaddy
1 Presence of a Load-Balancing Device
Detected (5)
QID: 86189
CVSS Base: 0 [1]
Category:
Web server CVSS Temporal: -
CVE ID: -
Vendor
Reference: -
Bugtraq
ID: -
Service
Modified: 05/20/2009
User
Modified: -
Edited: No
PCI Vuln:
No
THREAT:
The
service detected a load-balancing device in front of your Web servers. This
information can provide an attacker with additional
information
about your network.
Different
techniques were used to detect the presence of a load-balancing device,
including HTTP header analysis and analysis of IP
Time-To-Live
(TTL) values, IP Identification (ID) values, and TCP Initial Sequence Numbers
(ISN). The actual technique(s) responsible for
the
detection can be seen in the Result section.
The exact
number of Web servers behind a load balancer is difficult to determine, so the
number reported here may not be accurate.
Furthermore,
Netscape Enterprise Server Version 3.6 is known to display an erroneous
"Date:" field in the HTTP header when the server
receives a
lot of requests. This makes it difficult for the service to determine if there
is a load-balancing device present by analyzing the
HTTP
headers. Also, the result given by the analysis of IP ID and TCP ISN values may
vary due to different network conditions when the
scan was
performed.
IMPACT:
By
exploiting this vulnerability, an intruder could use this information in
conjunction with other pieces of information to craft sophisticated
attacks
against your network.
Others
page 4
Note also
that if the Web servers behind the load balancer are not identical, the scan
results for the HTTP vulnerabilities may vary from one
scan to
another.
SOLUTION:
To prevent
the detection of the presence of a load-balancing device based on HTTP header
analysis, you should use
Network-Time-Protocol
(NTP) to synchronize the clocks on all of your hosts (at least those in the
DMZ).
To prevent
detection by analyzing IP TTL values, IP ID values, and TCP ISN values, you may
use hosts with a TCP/IP implementation that
generates
randomized numbers for these values. However, most operating systems available
today do not come with such a TCP/IP
implementation.
xxx.xx.xx.54 (extranet.xyz.com, -) F5
Networks Big-IP port 443/tcp over SSL
RESULTS:
Number of
web servers behind load balancer:
3 - based
on IP Identification values
xxx.xx.xx.103 (wpress.xxx.com, -) F5
Networks Big-IP port 443/tcp over SSL
RESULTS:
Number of
web servers behind load balancer:
4 - based on IP Identification values
- funkdaddy_31014
Nimbostratus
Oops, the report output got omitted:1 Presence of a Load-Balancing Device Detected (5) QID: 86189 CVSS Base: 0 [1] Category: Web server CVSS Temporal: - CVE ID: - Vendor Reference: - Bugtraq ID: - Service Modified: 05/20/2009 User Modified: - Edited: No PCI Vuln: No THREAT: The service detected a load-balancing device in front of your Web servers. This information can provide an attacker with additional information about your network. Different techniques were used to detect the presence of a load-balancing device, including HTTP header analysis and analysis of IP Time-To-Live (TTL) values, IP Identification (ID) values, and TCP Initial Sequence Numbers (ISN). The actual technique(s) responsible for the detection can be seen in the Result section. The exact number of Web servers behind a load balancer is difficult to determine, so the number reported here may not be accurate. Furthermore, Netscape Enterprise Server Version 3.6 is known to display an erroneous "Date:" field in the HTTP header when the server receives a lot of requests. This makes it difficult for the service to determine if there is a load-balancing device present by analyzing the HTTP headers. Also, the result given by the analysis of IP ID and TCP ISN values may vary due to different network conditions when the scan was performed. IMPACT: By exploiting this vulnerability, an intruder could use this information in conjunction with other pieces of information to craft sophisticated attacks against your network. Others page 4 Note also that if the Web servers behind the load balancer are not identical, the scan results for the HTTP vulnerabilities may vary from one scan to another. SOLUTION: To prevent the detection of the presence of a load-balancing device based on HTTP header analysis, you should use Network-Time-Protocol (NTP) to synchronize the clocks on all of your hosts (at least those in the DMZ). To prevent detection by analyzing IP TTL values, IP ID values, and TCP ISN values, you may use hosts with a TCP/IP implementation that generates randomized numbers for these values. However, most operating systems available today do not come with such a TCP/IP implementation. ***RESULTS*** xxx.xx.xx.54 (extranet.xyz.com, -) F5 Networks Big-IP port 443/tcp over SSL RESULTS: Number of web servers behind load balancer: 3 - based on IP Identification values xxx.xx.xx.103 (wpress.xyz.com, -) F5 Networks Big-IP port 443/tcp over SSL RESULTS: Number of web servers behind load balancer: 4 - based on IP Identification values
- Nathan_Houck_65
Nimbostratus
One possible solution is to use an I rule with the HTTP sanitize command: - Dany_Lee_19801
Nimbostratus
Hi, - nathe
Cirrocumulus
One question that was asked previously was "Anyone have any idea how "IP Identification" is done to find the number of servers behind the load balancer?". The answer (or poss one of a few answers) is that the external security company have crafted some scans, using one of a few pen test tools, against the IP of your website (which is in fact your load balancer) and interrogated the IP ID number returned. If there was no load balancer and, say, simply one web server then the number that the IP ID increments by would have a pattern to it (to some degree). By having a load balancer with 1 or many backend web servers then the returned IP IDs may be vastly different each time, which would suggest different servers are being load-balanced. Hope that makes sense? The crudeness of this would be a reason why they've "guessed" incorrectly the amount of web servers. - hoolio
Cirrostratus
This seems like a non-issue. What can attacker do once they determine that a site is using a load balancer? - netfortius
Nimbostratus
As someone stated earlier - the IP ID "range" variance is indicative of LB - for example when doing something like: - +1 @Hoolio
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com