Re: [fw-wiz] detecting multihomed host - Firewalls

This is a discussion on Re: [fw-wiz] detecting multihomed host - Firewalls ; On 7/14/08, alexander lind wrote: > Say that someone on the outside knows all of my 20 IP addresses. Is there > any way that this person could detect that all 20 of these IP addresses are > bound to ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Re: [fw-wiz] detecting multihomed host

  1. Re: [fw-wiz] detecting multihomed host

    On 7/14/08, alexander lind wrote:
    > Say that someone on the outside knows all of my 20 IP addresses. Is there
    > any way that this person could detect that all 20 of these IP addresses are
    > bound to my one machine inside my network?


    Yes, there are ways, some easier than others.

    Look at the various papers on enumerating hosts behind a NAT gateway,
    think of this as a sort of backwards variation on that question.

    Kevin
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  2. Re: [fw-wiz] detecting multihomed host

    On Aug 1, 2008, at 8:47 PM, K K wrote:
    > On 7/14/08, alexander lind wrote:
    >> Say that someone on the outside knows all of my 20 IP addresses. Is
    >> there
    >> any way that this person could detect that all 20 of these IP
    >> addresses are
    >> bound to my one machine inside my network?

    >
    > Yes, there are ways, some easier than others.
    >
    > Look at the various papers on enumerating hosts behind a NAT gateway,
    > think of this as a sort of backwards variation on that question.


    I have read up on what I could find about this, and it seems to me
    that the only really generic techniques to enumerate hosts behind the
    NAT relies on looking at the TTL field in the TCP packet. OpenBSDs PF
    can reset and/or randomize this field with its 'scrub' directive, so
    it seems to me this vulnerability would be blocked.

    If you know of any other ways to detect a multihomed host behind a
    NAT, can you give me any other hints for what to google on?

    Alec

    >
    >
    > Kevin


    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  3. Re: [fw-wiz] detecting multihomed host

    Yes, 'pf' can scrub TCP, including TTL and IPID. So what you are
    looking for is other information leakage issues in TCP, or in the
    higher level protocols, or the OS.

    Issues range from information leakage through simple configuration
    faults, through more complex "side channel" attacks.


    Let's say you have a /24 network, and within this network, 200 active
    IP addresses, which you have randomly assigned as alias IPs on 10
    physical machines, each running a different OS and/or architecture.

    I assume PING isn't the only protocol you have listening, so let's
    also say all these IPs are listening on TCP ports 21,22, 25, 80 and
    443 with the usual services, and the packet filter isn't doing any
    fancy redirection or rate limiting.

    An attacker might suspect you don't have 200 distinct machines
    (physical or virutal), and may want to get at .W.X.Y.123, so he wants
    to learn which other IP addresses share the same OS.

    If you're just doing simple IP aliasing in the OS, rather than full
    virtual machines, an example of a configuration fault might be as
    simple as the OS choosing a default "base" IP address when it
    generates a new outbound packet. So for example, I might notice that
    when I make TCP/25 connections to each of the 200 different
    destination IP addresses, a reverse DNS lookup is done against my
    source, but I only see 10 unique source IP addresses on these queries.

    Or the machines may have different versions of Apache, SSHd or OpenSSL.


    A side-channel approach might be to sequentially measure the response
    time of each of the 200 IP addresses for an "expensive" operation
    (e.g. negotiating SSL. or a complex HTTP transaction), establishing
    baselines for each IP.

    Then repeat the test, but make the the requests two at a time,
    choosing two random pairs of IP addresses out of the 200.

    Finally, repeat the test a third time, again two at a time, one of
    the two always being the target (W.X.Y.123) and the second being one
    of the other 199 active addresses.


    All of the above can be done slowly, over a period of several days,
    and from a wide variety of source addresses to evade trivial detection
    by IPS or log analysis. One possibility to mitigate this exposure is
    to use higher level proxies instead of a bridging firewall.


    Kevin

    (P.S. The term "multihome" usually means a host with multiple NICs,
    each one on a different network, the situation you describe, a host
    with many aliases on a single NIC, is a different beast, but I don't
    know the best name for it.)
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  4. Re: [fw-wiz] detecting multihomed host

    On Aug 1, 2008, at 10:51 PM, K K wrote:

    >
    > Finally, repeat the test a third time, again two at a time, one of
    > the two always being the target (W.X.Y.123) and the second being one
    > of the other 199 active addresses.


    Very interesting read. Thank you for laying it out for me.
    Now if we pretend you are the attacker that wants to gather this
    information on my network, could you think of any ways to do it still
    if I closed down _all_ services on the machines behind the NAT?

    >
    >
    >
    > All of the above can be done slowly, over a period of several days,
    > and from a wide variety of source addresses to evade trivial detection
    > by IPS or log analysis. One possibility to mitigate this exposure is
    > to use higher level proxies instead of a bridging firewall.


    Can you elaborate a little bit on what you mean by higher level
    proxies please?

    >
    > (P.S. The term "multihome" usually means a host with multiple NICs,
    > each one on a different network, the situation you describe, a host
    > with many aliases on a single NIC, is a different beast, but I don't
    > know the best name for it.)



    I stand corrected. What if I create virtual interfaces with faked MAC
    addresses, would you call that multihoming?

    Thanks
    Alec
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  5. Re: [fw-wiz] detecting multihomed host

    On Aug 2, 2008, at 7:10 PM, alexander lind wrote:
    > I stand corrected. What if I create virtual interfaces with faked
    > MAC addresses, would you call that multihoming?


    Nope. The original meaning is that a multihomed machine has two (or
    more) physical network interfaces which are connected to distinct
    network subnets or collision domains. Virtual interfaces don't count,
    nor would various forms of link aggregation like Cisco's EtherChannel
    or IEEE 802.3ad LACP.

    --
    -Chuck

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


+ Reply to Thread