Penetration Testing mailing list archives
Re: port scan to juniper fw
From: aditya mukadam <aditya.mukadam () gmail com>
Date: Wed, 4 Nov 2009 14:54:01 +0530
Yes, I have verified and also have the relevant logs with me from the 'flow filter' . Thanks, Aditya Govind Mukadam On Wed, Nov 4, 2009 at 2:49 PM, Chris Brenton <cbrenton () chrisbrenton org> wrote:
On Thu, 2009-10-29 at 08:22 +0530, aditya mukadam wrote:Juniper FW Anti-spoofing mechnism's logic is to check the route for the incoming SRC-IP. If the packet with SRC-IP a.b.c.d enters firewall via interface 'X' and the route on the firewall for a.b.c.d is to interface 'Y, this packet will be dropped due to anti-spoofing because it is entering via an interface through which it is not expected to be sent back.Have you verified this? Last time I tested their anti-spoofing it didn't actually drop the packet. It would pass it through and then follow it up with a host unreachable (to the target) in order to kill the session. What was odd was the TTL would get decremented by 2. My best guess is it was the single honed IPS code dealing with the spoofing and that was introducing an extra routing hop. I have not tested this for a few years, so they may have rewritten how they handle it. Just curious if you have checked this or if you are going by the docs. HTH, Chris -- www.chrisbrenton.org
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: port scan to juniper fw aditya mukadam (Nov 02)
- Re: port scan to juniper fw Chris Brenton (Nov 04)
- Re: port scan to juniper fw aditya mukadam (Nov 04)
- Re: port scan to juniper fw Chris Brenton (Nov 04)