Posted to bugtraq mailing list (20 Nov 1999): --- Hi, some little new ideas about IP ID issue: The first is about linux firewalling: since it increase IP ID global counter even if an outgoing packet will be filtered we are able, for example, to scan UDP ports even if ICMP type 3 output is DENY, and in general it is possibleto know when TCP/IP stack reply a packet even if the reply is dropped. I think (but not tested) that this is true for almost all firewalls. The second issue concern the ability to uncover firewall rules. For example it is travial to know if host A filter packets from the IP X.Y.Z.W monitoring IP ID incresing of host A or host with X.Y.Z.W address (this changes if we are interested to know input or output rules) and sending packets that suppose some reply. Also this is related with the ability to scan the ports of hosts that drop all packets with a source different than host.trusted.com. There are others stuff like this but they are only different faces of the same concepts. Some people thinks that this kind of attacks isn't a "real world" attacks, I'm strongly interested to know what's bugtraq readers opinion (IMO this kind of attacks are feasible and usefull for an attacker. For exaple the ability to scan the ports with only spoofed packets and the ability to guess remote hosts traffic are a lot real). ciao, antirez