[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Next-hop scanning for open firewall ports
In some mail from David G. Andersen, sie said:
> Thinking about ways to figure out how to get through firewalls,
> the following attack occurred to me. The technique is similar
> to "firewalk"ing (Goldsmith) and to IP ID reverse scanning (Antirez).
> I call it next-hop scanning, because it operates by interrogating
> a router after the firewall, not the target.
To combat this attack, and others that use the IP ID, the latest
alpha of IPFilter 4.0 rewrites the ID field of _all_ outgoing
IPv4 packets, in all directions, to be sequential and part of the
same number space. This was done primarily to address problems
raised in . The implementation is not linked to NAT, so firewalls
that do not use NAT are able to change the ID field.
 "A Technique for Counting NATted Hosts", Steven Bellovin, 2002