Re: [Full-disclosure] hiding routers



Hello Kristian

I did some implementation of "transparent firewalls"
on Linux.

Usually it wasnt a router, but was placed at the entry
point of networks just after the router.

ebtables on Linux can explains how it is done :
http://ebtables.sourceforge.net/

The firewalls didnt have any IP addresses and were
acting as bridges with filtering capabilities.

I cannot tell if it is common setup, but it was alot
harder to "find" the firewall, almost impossible if
you arent on the same IP segment. This box would not touch
TTL field like you describe below.

These configurations currently work perfectly, I would
recommend it. it wont "breaks tcp/ip and error conditions"
if you understand and configure ebtables correctly.

Hope that helps

Maxime Ducharme



-----Message d'origine-----
De : full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] De la part de Kristian
Hermansen
Envoyé : 18 avril 2007 04:25
À : full-disclosure@xxxxxxxxxxxxxxxxx
Objet : [Full-disclosure] hiding routers

I brought this question up on another mailing list, but didn't get any
good answers...

How common is it that a router does not decrement the TTL of packets,
such that it is unable to be identified using traceroute? Choosing
not to decrement the TTL causes the next router to appear as the hop,
but the current router to remain hidden. How does one commonly
identify such hidden routers in an automated fashion? And is it
policy for any organizations to actually do this, or only with certain
packet types?

The responses I got were along the lines of "don't do that, it breaks
tcp/ip and error conditions". However, I am still interested in how
likely an organization is to try something like this for both
legitimate and illegitimate purposes.
--
Kristian Hermansen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Need advice about breakin attempt
    ... >> firewalls that run Linux with iptables... ... Linux running iptables. ... special hardware in the router. ...
    (alt.os.linux)
  • RE: Cant enter 2 XP machines into a Workgroup
    ... Firewalls like NIS modify Windows own security files. ... If a comsumer level router like those of Linksys and Netgear ...
    (microsoft.public.windowsxp.network_web)
  • RE: Cant enter 2 XP machines into a Workgroup
    ... I had my XP Home machine hard ... Firewalls like NIS modify Windows own security files. ... If a comsumer level router like those of Linksys and Netgear ...
    (microsoft.public.windowsxp.network_web)
  • Re: Ask EU Technical Section: Networking questions
    ... I have just added a new lapdog to my household and so needed to set up a wireless network, so that it could share the broadband connection with the main PC. ... The router is a Belkin N Wireless Modem Router. ... You need to set the software firewalls on each PC to allow the local network to connect to them. ... If you can't Share the folder, you will need to enable File Sharing for the machine as a whole. ...
    (uk.media.radio.archers)
  • RE: [fw-wiz] Firewalls v. Router ACLs
    ... people to take in consideration in network design and layout. ... here and the old firewalls list often emphasized an approach that avoided ... The logging alert features alone turn this layer into a IDS as ... > An appropriately sized router will not have any performance problems. ...
    (Firewall-Wizards)