Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: port scan to juniper fw
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Wed, 04 Nov 2009 04:19:39 -0500

On Thu, 2009-10-29 at 08:22 +0530, aditya mukadam wrote:

Juniper FW Anti-spoofing mechnism's logic is to check the
route for the incoming SRC-IP. If the packet with SRC-IP a.b.c.d
enters firewall via interface 'X' and the route on the firewall for
a.b.c.d is to interface 'Y, this packet will be dropped due to
anti-spoofing because it is entering via an interface through which it
is not expected to be sent back.

Have you verified this? Last time I tested their anti-spoofing it didn't
actually drop the packet. It would pass it through and then follow it up
with a host unreachable (to the target) in order to kill the session.

What was odd was the TTL would get decremented by 2. My best guess is it
was the single honed IPS code dealing with the spoofing and that was
introducing an extra routing hop.

I have not tested this for a few years, so they may have rewritten how
they handle it. Just curious if you have checked this or if you are
going by the docs.

HTH,
Chris
-- 
www.chrisbrenton.org


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]