Firewall Wizards mailing list archives
Re: detecting multihomed host
From: "K K" <kkadow () gmail com>
Date: Sat, 2 Aug 2008 00:51:22 -0500
Yes, 'pf' can scrub TCP, including TTL and IPID. So what you are looking for is other information leakage issues in TCP, or in the higher level protocols, or the OS. Issues range from information leakage through simple configuration faults, through more complex "side channel" attacks. Let's say you have a /24 network, and within this network, 200 active IP addresses, which you have randomly assigned as alias IPs on 10 physical machines, each running a different OS and/or architecture. I assume PING isn't the only protocol you have listening, so let's also say all these IPs are listening on TCP ports 21,22, 25, 80 and 443 with the usual services, and the packet filter isn't doing any fancy redirection or rate limiting. An attacker might suspect you don't have 200 distinct machines (physical or virutal), and may want to get at .W.X.Y.123, so he wants to learn which other IP addresses share the same OS. If you're just doing simple IP aliasing in the OS, rather than full virtual machines, an example of a configuration fault might be as simple as the OS choosing a default "base" IP address when it generates a new outbound packet. So for example, I might notice that when I make TCP/25 connections to each of the 200 different destination IP addresses, a reverse DNS lookup is done against my source, but I only see 10 unique source IP addresses on these queries. Or the machines may have different versions of Apache, SSHd or OpenSSL. A side-channel approach might be to sequentially measure the response time of each of the 200 IP addresses for an "expensive" operation (e.g. negotiating SSL. or a complex HTTP transaction), establishing baselines for each IP. Then repeat the test, but make the the requests two at a time, choosing two random pairs of IP addresses out of the 200. Finally, repeat the test a third time, again two at a time, one of the two always being the target (W.X.Y.123) and the second being one of the other 199 active addresses. All of the above can be done slowly, over a period of several days, and from a wide variety of source addresses to evade trivial detection by IPS or log analysis. One possibility to mitigate this exposure is to use higher level proxies instead of a bridging firewall. Kevin (P.S. The term "multihome" usually means a host with multiple NICs, each one on a different network, the situation you describe, a host with many aliases on a single NIC, is a different beast, but I don't know the best name for it.) _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- detecting multihomed host alexander lind (Aug 01)
- Re: detecting multihomed host Marcin Antkiewicz (Aug 04)
- Re: detecting multihomed host Paul D. Robertson (Aug 04)
- Re: detecting multihomed host K K (Aug 04)
- Re: detecting multihomed host alexander lind (Aug 04)
- Re: detecting multihomed host K K (Aug 04)
- Re: detecting multihomed host alexander lind (Aug 04)
- Re: detecting multihomed host Chuck Swiger (Aug 04)
- Re: detecting multihomed host alexander lind (Aug 04)
- Re: detecting multihomed host Marcin Antkiewicz (Aug 04)