Different techniques are used to detect the presence of a load-balancing device, including HTTP header analysis and analysis of IP Time-To-Live (TTL) values, IP Identification (ID) values, and TCP Initial Sequence Numbers (ISN). The exact number of Web servers behind a load balancer is difficult to determine, so the number reported might not be accurate.

Furthermore, Netscape Enterprise Server Version 3.6 is known to display an erroneous "Date:" field in the HTTP header when the server receives multiple requests. This makes it difficult for the service to determine if there is a load-balancing device present by analyzing the HTTP headers.

Additionally, the result given by the analysis of IP ID and TCP ISN values may vary due to different network conditions when the scan was performed. By exploiting this vulnerability, an intruder could use this information in conjunction with other pieces of information to craft sophisticated attacks against your network.

• Unified Access Gateway is an appliance that is normally installed in a demilitarized zone (DMZ). The steps below help you protect Unified Access Gateway from vulnerability scanners from detecting this issue.
  • To prevent the detection of the presence of a load-balancing device based on HTTP header analysis, you should use Network-Time-Protocol (NTP) to synchronize the clocks on all of your hosts (at least those in the DMZ).
  • To prevent detection by analyzing IP TTL values, IP ID values, and TCP ISN values, you may use hosts with a TCP/IP implementation that generates randomized numbers for these values. However, most operating systems available today do not come with such a TCP/IP implementation.