Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: detecting multihomed host
From: "K K" <kkadow () gmail com>
Date: Sat, 2 Aug 2008 00:51:22 -0500

Yes, 'pf' can scrub TCP, including TTL and IPID.  So what you are
looking for is other information leakage issues in TCP, or in the
higher level protocols, or the OS.

Issues range from information leakage through simple configuration
faults, through more complex "side channel" attacks.

Let's say you have a /24 network, and within this network, 200 active
IP addresses, which you have randomly assigned as alias IPs on 10
physical machines, each running a different OS and/or architecture.

I assume PING isn't the only protocol you have listening, so let's
also say all these IPs are listening on TCP ports 21,22, 25, 80 and
443 with the usual services, and the packet filter isn't doing any
fancy redirection or rate limiting.

An attacker might suspect you don't have 200 distinct machines
(physical or virutal), and may want to get at .W.X.Y.123, so he wants
to learn which other IP addresses share the same OS.

If you're just doing simple IP aliasing in the OS, rather than full
virtual machines, an example of a configuration fault might be as
simple as the OS choosing a default "base" IP address when it
generates a new outbound packet.  So for example, I might notice that
when I make TCP/25 connections to each of the 200 different
destination IP addresses, a reverse DNS lookup is done against my
source, but I only see 10 unique source IP addresses on these queries.

Or the machines may have different versions of Apache, SSHd or OpenSSL.

A side-channel approach might be to sequentially measure the response
time of each of the 200 IP addresses for an "expensive" operation
(e.g. negotiating SSL. or a complex HTTP transaction), establishing
baselines for each IP.

Then repeat the test, but make the the requests two at a time,
choosing two random pairs of IP addresses out of the 200.

Finally, repeat the test a third time,  again two at a time, one of
the two always being  the target (W.X.Y.123) and the second being one
of the other 199 active addresses.

All of the above can be done slowly, over a period of several days,
and from a wide variety of source addresses to evade trivial detection
by IPS or log analysis.  One possibility to mitigate this exposure is
to use higher level proxies instead of a bridging firewall.


(P.S. The term "multihome" usually means a host with multiple NICs,
each one on a different network,  the situation you describe, a host
with many aliases on a single NIC, is a different beast, but I don't
know the best name for it.)
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]