Re: [fw-wiz] detecting multihomed host

Yes, 'pf' can scrub TCP, including TTL and IPID. So what you are
looking for is other information leakage issues in TCP, or in the
higher level protocols, or the OS.

Issues range from information leakage through simple configuration
faults, through more complex "side channel" attacks.

Let's say you have a /24 network, and within this network, 200 active
IP addresses, which you have randomly assigned as alias IPs on 10
physical machines, each running a different OS and/or architecture.

I assume PING isn't the only protocol you have listening, so let's
also say all these IPs are listening on TCP ports 21,22, 25, 80 and
443 with the usual services, and the packet filter isn't doing any
fancy redirection or rate limiting.

An attacker might suspect you don't have 200 distinct machines
(physical or virutal), and may want to get at .W.X.Y.123, so he wants
to learn which other IP addresses share the same OS.

If you're just doing simple IP aliasing in the OS, rather than full
virtual machines, an example of a configuration fault might be as
simple as the OS choosing a default "base" IP address when it
generates a new outbound packet. So for example, I might notice that
when I make TCP/25 connections to each of the 200 different
destination IP addresses, a reverse DNS lookup is done against my
source, but I only see 10 unique source IP addresses on these queries.

Or the machines may have different versions of Apache, SSHd or OpenSSL.

A side-channel approach might be to sequentially measure the response
time of each of the 200 IP addresses for an "expensive" operation
(e.g. negotiating SSL. or a complex HTTP transaction), establishing
baselines for each IP.

Then repeat the test, but make the the requests two at a time,
choosing two random pairs of IP addresses out of the 200.

Finally, repeat the test a third time, again two at a time, one of
the two always being the target (W.X.Y.123) and the second being one
of the other 199 active addresses.

All of the above can be done slowly, over a period of several days,
and from a wide variety of source addresses to evade trivial detection
by IPS or log analysis. One possibility to mitigate this exposure is
to use higher level proxies instead of a bridging firewall.


(P.S. The term "multihome" usually means a host with multiple NICs,
each one on a different network, the situation you describe, a host
with many aliases on a single NIC, is a different beast, but I don't
know the best name for it.)
firewall-wizards mailing list

Relevant Pages

  • Re: NBT woes
    ... > only TCP with NetBios over TCP enabled. ... sometimes 98 machines ... > 2000 file server to be the master browser, ... > keeps network guys employed. ...
  • Solaris 2.8 & 2.9 kernel eating all my memory?
    ... as load generators for a tcp based application written in C. ... Previously the machines had been tweaked to allow up to approx 60k ... simultaneous connections without any problems. ...
  • [SLE] mount failure
    ... /etc/hosts.allow (on all SuSE machines, less host's own IP on each): ... 100000 2 tcp 111 portmapper ... 100000 2 udp 111 portmapper ...
  • Re: Help with ipfw
    ... flexed their fingers and thumped: ... >> other machines can legitimately be coming in on your interface... ... add allow tcp from me 22 to any out xmit fxp0 ...
  • Re: taking python enterprise level?...
    ... , but on some higher level? ... i think its on the TCP that he's referring to or is it?... ... What I meant was that we just keep sending packets which TCP/IP keeps ...