Re: Next-hop scanning for open firewall ports

[Darren Reed <avalon@xxxxxxxxxxxxxxxxx>]

In some mail from David G. Andersen, sie said:
> 
> Thinking about ways to figure out how to get through firewalls,
> the following attack occurred to me.  The technique is similar
> to "firewalk"ing (Goldsmith) and to IP ID reverse scanning (Antirez).
> I call it next-hop scanning, because it operates by interrogating
> a router after the firewall, not the target.
[...]

To combat this attack, and others that use the IP ID, the latest
alpha of IPFilter 4.0[2] rewrites the ID field of _all_ outgoing
IPv4 packets, in all directions, to be sequential and part of the
same number space.  This was done primarily to address problems
raised in [1].  The implementation is not linked to NAT, so firewalls
that do not use NAT are able to change the ID field.

Darren

[1] "A Technique for Counting NATted Hosts", Steven Bellovin, 2002
http://www.research.att.com/~smb/papers/fnat.pdf

[2] http://coombs.anu.edu.au/~avalon/ipf40a25.tgz