After working extensively with Qualys and AWS Support (the scope of this use case is limited to AWS) we've been able to narrow down the issue to the OS. I'm running into issue where we are unable to scan the majority of our environment - ~95%.
The environment consists of Suse 10/11 systems, operating at various service pack levels. Due to the applications we run there are slight variations in the configurations.
After troubleshooting network activity, we found that packets were coming into the target host, but then the OS failed to reply with the proper TCP sequnce - it appears something on the OS is causing this.
We've already eliminated the obvious and there is no IPS/IDS, iptables, etc.
Interesting enough, the failed scan resutls did provide the following under information gathered.
- CVE ID:
- Vendor Reference
- Bugtraq ID:
- Service Modified:
- User Modified:
- PCI Vuln:
- TCP Initial Sequence Numbers (ISNs) obtained in the SYNACK replies from the host are analyzed to determine how random they are. The average change between subsequent ISNs and the standard deviation from the average are displayed in the RESULT section. Also included is the degree of difficulty for exploitation of the TCP ISN generation scheme used by the host.
- Not Applicable
- There is no exploitability information for this vulnerability.
- There is no malware information for this vulnerability.
- Average change between subsequent TCP initial sequence numbers is 1103134027 with a standard deviation of 550047224. These TCP initial sequence numbers were triggered by TCP SYN probes sent to the host at an average rate of 1/(11988 microseconds). The degree of difficulty to exploit the TCP initial sequence number generation scheme is: hard.