Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Next-hop scanning for open firewall ports

From: Darren Reed <avalon () coombs anu edu au>
Date: Sat, 7 Sep 2002 13:29:17 +1000 (Australia/ACT)
In some mail from David G. Andersen, sie said:


Thinking about ways to figure out how to get through firewalls,
the following attack occurred to me.  The technique is similar
to "firewalk"ing (Goldsmith) and to IP ID reverse scanning (Antirez).
I call it next-hop scanning, because it operates by interrogating
a router after the firewall, not the target.

[...]

To combat this attack, and others that use the IP ID, the latest
alpha of IPFilter 4.0[2] rewrites the ID field of _all_ outgoing
IPv4 packets, in all directions, to be sequential and part of the
same number space.  This was done primarily to address problems
raised in [1].  The implementation is not linked to NAT, so firewalls
that do not use NAT are able to change the ID field.

Darren

[1] "A Technique for Counting NATted Hosts", Steven Bellovin, 2002
http://www.research.att.com/~smb/papers/fnat.pdf

[2] http://coombs.anu.edu.au/~avalon/ipf40a25.tgz
Previous By Date Next
Previous By Thread Next

Current thread: