|
IDS
mailing list archives
RE: IDS bypassing
From: "charles lindsay" <frostbackeng () lycos com>
Date: Mon, 30 Dec 2002 14:56:16 -0500
Could you be more explicit as to which NAT devices support this evasion technique?
All NAT/PAT devices I am familiar with are either complete TCP proxies, in which case they verify the checksum coming
in, and then re-calculate it as it goes out, or they only implement the "quick-update" algorithm (RFC 1624 et alia).
In the first case, your evil packets get dropped at the first NAT, in the second case, they always have an incorrect
checksum.
================ On Sun 12/29/02 at 6:44 PM ========================
============== Ed3f [ed3f () overminder com] spake: =====================
Systems Affected
NAT/PAT/load_balancing/packet_manipulation implementations
Overview
Multiple vendors' implementations of
NAT/PAT/load_balancing/packet_manipulation
calculate level 4 checksum from scratch.
<< snip>>
_____________________________________________________________
Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for $19.95/year.
http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus
 By Date 
By Thread
Current thread:
- IDS bypassing Ed3f (Dec 30)
- <Possible follow-ups>
- RE: IDS bypassing charles lindsay (Dec 30)
|
Intro
