Penetration Testing mailing list archives

Re: Some unusual network features

From: Daniel Lucq <daniel () lucq org>
Date: Thu, 15 Jan 2004 16:59:52 +0100 (CET)

On Wed, 14 Jan 2004, Alla Bezroutchko wrote:

Paul Johnston wrote:

3) Ports where the TTL is different on the SYN reply to the rest of the 
connection. ipid's also imply that different hosts are handling the SYN 
and the rest of the connection.


I've seen that on a server behind a Cisco PIX firewall with SYN flood 
protection enabled. The firewall handles connection setup itself and 
once the handhsake is complete, establishes the connection with the 
server behind it. If the handshake is not complete the server never sees 
any of it.


OpenBSD 3.4 PF also exhibits this behavior when using the SYN proxy 
feature, for instance with an OpenBSD firewall and a Windows web server 
behind it (TCP handshake would use TTL somewhat less than 64, whereas data 
packets would use TTL somewhat less than 128).

However, you can mask this by fiddling with the PF traffic normalization 
options on the firewall (specifically, the min-ttl option, and the 
random-id option; see your nearest pf.conf(5) manpage, or the manpages on 
the OpenBSD website for more information).


Regards,
Daniel

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Some unusual network features Paul Johnston (Jan 13)
- Re: Some unusual network features Nathan R. Valentine (Jan 13)
- Re: Some unusual network features Andrew Simmons (Jan 13)
- Re: Some unusual network features Mike Hoskins (Jan 13)
- Re: Some unusual network features Shashank Rai (Jan 14)
- Re: Some unusual network features Alla Bezroutchko (Jan 14)
  - Re: Some unusual network features die tuere (Jan 15)
  - Re: Some unusual network features Daniel Lucq (Jan 15)
- <Possible follow-ups>
- RE: Some unusual network features Deckard, Jason (Jan 14)