Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: detecting multihomed host
From: alexander lind <malte () webstay org>
Date: Sat, 2 Aug 2008 19:10:25 -0700

On Aug 1, 2008, at 10:51 PM, K K wrote:

Finally, repeat the test a third time,  again two at a time, one of
the two always being  the target (W.X.Y.123) and the second being one
of the other 199 active addresses.

Very interesting read. Thank you for laying it out for me.
Now if we pretend you are the attacker that wants to gather this information on my network, could you think of any ways to do it still if I closed down _all_ services on the machines behind the NAT?

All of the above can be done slowly, over a period of several days,
and from a wide variety of source addresses to evade trivial detection
by IPS or log analysis.  One possibility to mitigate this exposure is
to use higher level proxies instead of a bridging firewall.

Can you elaborate a little bit on what you mean by higher level proxies please?

(P.S. The term "multihome" usually means a host with multiple NICs,
each one on a different network,  the situation you describe, a host
with many aliases on a single NIC, is a different beast, but I don't
know the best name for it.)

I stand corrected. What if I create virtual interfaces with faked MAC addresses, would you call that multihoming?

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]