mailing list archives
Re: detecting multihomed host
From: alexander lind <malte () webstay org>
Date: Sat, 2 Aug 2008 19:10:25 -0700
On Aug 1, 2008, at 10:51 PM, K K wrote:
Finally, repeat the test a third time, again two at a time, one of
the two always being the target (W.X.Y.123) and the second being one
of the other 199 active addresses.
Very interesting read. Thank you for laying it out for me.
Now if we pretend you are the attacker that wants to gather this
information on my network, could you think of any ways to do it still
if I closed down _all_ services on the machines behind the NAT?
All of the above can be done slowly, over a period of several days,
and from a wide variety of source addresses to evade trivial detection
by IPS or log analysis. One possibility to mitigate this exposure is
to use higher level proxies instead of a bridging firewall.
Can you elaborate a little bit on what you mean by higher level
(P.S. The term "multihome" usually means a host with multiple NICs,
each one on a different network, the situation you describe, a host
with many aliases on a single NIC, is a different beast, but I don't
know the best name for it.)
I stand corrected. What if I create virtual interfaces with faked MAC
addresses, would you call that multihoming?
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com