Forum Discussion
funkdaddy_31014
Nimbostratus
NimbostratusAddressing Vulnerabilities - Presence of a Load-Balancing Device Detected
We routinely run Qualys scans on our environment, and the scan comes back with minor vulnerabilities called "Presence of a Load-Balancing Device Detected" based on "IP Identification". The results sho...
funkdaddy_31014Nimbostratus
NimbostratusOops, the report output got omitted:
1 Presence of a Load-Balancing Device Detected (5)
QID: 86189 CVSS Base: 0 [1]
Category: Web server CVSS Temporal: -
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Service Modified: 05/20/2009
User Modified: -
Edited: No
PCI Vuln: No
THREAT:
The service detected a load-balancing device in front of your Web servers. This information can provide an attacker with additional
information about your network.
Different techniques were used to detect the presence of a load-balancing device, including HTTP header analysis and analysis of IP
Time-To-Live (TTL) values, IP Identification (ID) values, and TCP Initial Sequence Numbers (ISN). The actual technique(s) responsible for
the detection can be seen in the Result section.
The exact number of Web servers behind a load balancer is difficult to determine, so the number reported here may not be accurate.
Furthermore, Netscape Enterprise Server Version 3.6 is known to display an erroneous "Date:" field in the HTTP header when the server
receives a lot of requests. This makes it difficult for the service to determine if there is a load-balancing device present by analyzing the
HTTP headers. Also, the result given by the analysis of IP ID and TCP ISN values may vary due to different network conditions when the
scan was performed.
IMPACT:
By exploiting this vulnerability, an intruder could use this information in conjunction with other pieces of information to craft sophisticated
attacks against your network.
Others page 4
Note also that if the Web servers behind the load balancer are not identical, the scan results for the HTTP vulnerabilities may vary from one
scan to another.
SOLUTION:
To prevent the detection of the presence of a load-balancing device based on HTTP header analysis, you should use
Network-Time-Protocol (NTP) to synchronize the clocks on all of your hosts (at least those in the DMZ).
To prevent detection by analyzing IP TTL values, IP ID values, and TCP ISN values, you may use hosts with a TCP/IP implementation that
generates randomized numbers for these values. However, most operating systems available today do not come with such a TCP/IP
implementation.
***RESULTS***
xxx.xx.xx.54 (extranet.xyz.com, -) F5 Networks Big-IP port 443/tcp over SSL
RESULTS:
Number of web servers behind load balancer:
3 - based on IP Identification values
xxx.xx.xx.103 (wpress.xyz.com, -) F5 Networks Big-IP port 443/tcp over SSL
RESULTS:
Number of web servers behind load balancer:
4 - based on IP Identification values