Re: [fw-wiz] detecting multihomed host



Say that someone on the outside knows all of my 20 IP addresses. Is there
any way that this person could detect that all 20 of these IP addresses are
bound to my one machine inside my network?


Alec,

it depends. If your firewall is really just a bridge, the first router will
see one MAC address in traffic for all of the 20 IPs. There are other
indirect measurements that would hint that one physical machine uses many
addresses. For example, one can analyze tcp timestamps, and notice the same
clock skew on all IPs. Another hint would be that putting load on one IP
produces noticeable slowness of other servers.

Most new OS versions have decent IP stacks, and looking at source ports or
IP IDs is no longer a dead giveaway, but there is still a lot of details
left. PF's scrub will not catch everything, because it was written with
normalization, rather than obfuscation, in mind.

Also, there might be identifiable details left in the services you run.

--
Marcin Antkiewicz
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages