CAPEC-332 - ICMP IP 'ID' Field Error Message Probe

An attacker sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. The internet identification field (ID) is typically utilized for reassembling a fragmented packet. RFC791 and RFC815 discusses about IP datagrams, fragmentation and reassembly. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within the ICMP error message. There are 3 behaviors that can be used to distinguish remote operating systems or firmware.

Different operating systems will respond by setting the IP ID field differently within error messaging. This allows the attacker to construct a fingerprint of specific OS behaviors.






  • Scopes 2
  • "Varies by context"
  • Confidentiality
  • Hide activities
  • Bypass protection mechanism
  • Authorization
  • Access_Control
  • Confidentiality

The ability to send a UDP datagram to a closed port and receive an ICMP Error Message Type 3, "Port Unreachable.