CAPEC-317: IP ID Sequencing Probe
This OS fingerprinting probe analyzes the IP 'ID' field sequence number generation algorithm of a remote host. Operating systems generate IP 'ID' numbers differently, allowing an attacker to identify the operating system of the host by examining how is assigns ID numbers when generating response packets. RFC 791 does not specify how ID numbers are chosen or their ranges, so ID sequence generation differs from implementation to implementation. There are two kinds of IP 'ID' sequence number analysis - IP 'ID' Sequencing: analyzing the IP 'ID' sequence generation algorithm for one protocol used by a host and Shared IP 'ID' Sequencing: analyzing the packet ordering via IP 'ID' values spanning multiple protocols, such as between ICMP and TCP.
Last updated
Overview
CAPEC-317 (IP ID Sequencing Probe) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
Consequences
What a successful CAPEC-317 attack can achieve.
Read Data
Affects: Confidentiality
Bypass Protection Mechanism, Hide Activities
Affects: Confidentiality, Access Control, Authorization
Frequently asked questions
Common questions about CAPEC-317.
- What is CAPEC-317?
- This OS fingerprinting probe analyzes the IP 'ID' field sequence number generation algorithm of a remote host. Operating systems generate IP 'ID' numbers differently, allowing an attacker to identify the operating system of the host by examining how is assigns ID numbers when generating response packets. RFC 791 does not specify how ID numbers are chosen or their ranges, so ID sequence generation differs from implementation to implementation. There are two kinds of IP 'ID' sequence number analysis - IP 'ID' Sequencing: analyzing the IP 'ID' sequence generation algorithm for one protocol used by a host and Shared IP 'ID' Sequencing: analyzing the packet ordering via IP 'ID' values spanning multiple protocols, such as between ICMP and TCP.
- What weaknesses does CAPEC-317 target?
- CAPEC-317 exploits 1 CWE weakness, including CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
- How severe is CAPEC-317?
- MITRE rates CAPEC-317 as Low severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-317
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.