Home page logo

pen-test logo Penetration Testing mailing list archives

Re: port scan to juniper fw
From: aditya mukadam <aditya.mukadam () gmail com>
Date: Wed, 4 Nov 2009 14:54:01 +0530

Yes, I have verified and also have the relevant logs with me from the
'flow filter' .

Aditya Govind Mukadam

On Wed, Nov 4, 2009 at 2:49 PM, Chris Brenton <cbrenton () chrisbrenton org> wrote:

On Thu, 2009-10-29 at 08:22 +0530, aditya mukadam wrote:

Juniper FW Anti-spoofing mechnism's logic is to check the
route for the incoming SRC-IP. If the packet with SRC-IP a.b.c.d
enters firewall via interface 'X' and the route on the firewall for
a.b.c.d is to interface 'Y, this packet will be dropped due to
anti-spoofing because it is entering via an interface through which it
is not expected to be sent back.

Have you verified this? Last time I tested their anti-spoofing it didn't
actually drop the packet. It would pass it through and then follow it up
with a host unreachable (to the target) in order to kill the session.

What was odd was the TTL would get decremented by 2. My best guess is it
was the single honed IPS code dealing with the spoofing and that was
introducing an extra routing hop.

I have not tested this for a few years, so they may have rewritten how
they handle it. Just curious if you have checked this or if you are
going by the docs.


This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]