IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IDS bypassing

From: "charles lindsay" <frostbackeng () lycos com>
Date: Mon, 30 Dec 2002 14:56:16 -0500
Could you be more explicit as to which NAT devices support this evasion technique?

All NAT/PAT devices I am familiar with are either complete TCP proxies, in which case they verify the checksum coming 
in, and then re-calculate it as it goes out, or they only implement the "quick-update" algorithm (RFC 1624 et alia).  
In the first case, your evil packets get dropped at the first NAT, in the second case, they always have an incorrect 
checksum.


================ On Sun 12/29/02 at 6:44 PM ========================
============== Ed3f [ed3f () overminder com] spake: =====================


Systems Affected

     NAT/PAT/load_balancing/packet_manipulation implementations

Overview

     Multiple vendors' implementations of
NAT/PAT/load_balancing/packet_manipulation
     calculate level 4 checksum from scratch.


<< snip>>



_____________________________________________________________
Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for $19.95/year.
http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus
Previous By Date Next
Previous By Thread Next

Current thread: