mailing list archives
Re: detecting multihomed host
From: "Marcin Antkiewicz" <firewallwizards () kajtek org>
Date: Fri, 1 Aug 2008 16:30:42 -0500
Say that someone on the outside knows all of my 20 IP addresses. Is there
any way that this person could detect that all 20 of these IP addresses are
bound to my one machine inside my network?
it depends. If your firewall is really just a bridge, the first router will
see one MAC address in traffic for all of the 20 IPs. There are other
indirect measurements that would hint that one physical machine uses many
addresses. For example, one can analyze tcp timestamps, and notice the same
clock skew on all IPs. Another hint would be that putting load on one IP
produces noticeable slowness of other servers.
Most new OS versions have decent IP stacks, and looking at source ports or
IP IDs is no longer a dead giveaway, but there is still a lot of details
left. PF's scrub will not catch everything, because it was written with
normalization, rather than obfuscation, in mind.
Also, there might be identifiable details left in the services you run.
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com