Bugtraq mailing list archives
Re: Next-hop scanning for open firewall ports
From: Darren Reed <avalon () coombs anu edu au>
Date: Sat, 7 Sep 2002 13:29:17 +1000 (Australia/ACT)
In some mail from David G. Andersen, sie said:
Thinking about ways to figure out how to get through firewalls, the following attack occurred to me. The technique is similar to "firewalk"ing (Goldsmith) and to IP ID reverse scanning (Antirez). I call it next-hop scanning, because it operates by interrogating a router after the firewall, not the target.
[...] To combat this attack, and others that use the IP ID, the latest alpha of IPFilter 4.0[2] rewrites the ID field of _all_ outgoing IPv4 packets, in all directions, to be sequential and part of the same number space. This was done primarily to address problems raised in [1]. The implementation is not linked to NAT, so firewalls that do not use NAT are able to change the ID field. Darren [1] "A Technique for Counting NATted Hosts", Steven Bellovin, 2002 http://www.research.att.com/~smb/papers/fnat.pdf [2] http://coombs.anu.edu.au/~avalon/ipf40a25.tgz
Current thread:
- Next-hop scanning for open firewall ports David G. Andersen (Sep 06)
- Re: Next-hop scanning for open firewall ports Chris Brenton (Sep 07)
- Re: Next-hop scanning for open firewall ports Darren Reed (Sep 07)