cyberpixl wrote: > Well, what i meant was what if i use the networks router as a bounce > host in order to get the packets into the network? > > If an icmp packet arrives at routers wan port with a source ip of an > internal host will it send the echoreply to its lan port?
Yes. Lacking proper anti-spoof ingress filtering, this will work. > I currently haven't got the chance to test this, but i will as soon as > i can. Then, in order to receive replyes from the host behind the > firewall all I'd have to do is make it send packets to a bounce server > outsede the network, like google.com with source set to my ip > (assuming then that the router freely allows icmp traffic out > of the network). Yes, lacking proper anti-spoof egress filtering, this will work. A correctly configured firewall should reject such packets on several grounds, even if ICMP is permitted by policy. On Wed, 02 Feb 2005 13:02:07 -0500, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Also, packet filtering is based on router configuration. More and more > > administrators are filtering packets with unexpected source and/or > > destination addresses ( ingress and egress filtering ). Proper ingress and egress filtering at all edge routers is critical for security. Rarely do I find a small site blocking outbound traffic based on the source IP. While "non-routable" *destination* addresses should not make it across the Internet, it is common for unroutable source addresses to be seen on inbound packets coming from the Internet. > The number of sites doing proper filtering may be growing, but it's certainly > still low enough that the attack still has a fairly high chance of working. With the a growing number of ISPs implementing Reverse Path Forwarding (aka "Unicast RPF") on all customer connections, it should become more difficult to inject spoofed traffic through reputable providers. Kevin _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
