Addressing Vulnerabilities - Presence of a Load-Balancing Device Detected

One question that was asked previously was "Anyone have any idea how "IP Identification" is done to find the number of servers behind the load balancer?". The answer (or poss one of a few answers) is that the external security company have crafted some scans, using one of a few pen test tools, against the IP of your website (which is in fact your load balancer) and interrogated the IP ID number returned. If there was no load balancer and, say, simply one web server then the number that the IP ID increments by would have a pattern to it (to some degree). By having a load balancer with 1 or many backend web servers then the returned IP IDs may be vastly different each time, which would suggest different servers are being load-balanced. Hope that makes sense? The crudeness of this would be a reason why they've "guessed" incorrectly the amount of web servers.

 

 

As to "how big of a deal is this vulnerability?". The pen testers may get different results if the load balanced web servers are not exactly the same i.e. patch levels not the same so, to them, the possibility of iinconsistency of results would prevent them from auditing the security most accurately and giving you the full picture.

 

 

Not sure if the F5 can mitigate against this. If it can, it will be by using the ASM module somehow.

 

 

Hope this helps,

 

N