Re: Just want to keep the crap out!!



"Volker Birk" <bumens@xxxxxxxxxxx> wrote in message
news:442837c3@xxxxxxxxxxxxxxxxxx

Just send packets with spoofed sender's addresses.

You're going to have to either physically tap into a
line somewhere, compromise an ISP router/switch, or possibly hack a
cable modem.

No. Nothing like this is needed.

An example for dynamic NAT:

To insert packets into the internal network behind NAT, you're just
sending
packages to the ports on the external interface of a NAT router, which
seem
to belong to connections NATed by the router. Usually, this is a fixed
range
of ports you have to try out.

An example for static NAT:

To insert a packet, which seems to come from inside, just spoof an IP
address like 192.168.0.1 for sender's IP address. Then you can insert
packages, which seem to come from inside.

Both are are very dangerous for UDP based protocols, of course. They are
dangerous, too, for weak TCP implementations like the one from older
Windows
versions.


On what device have you found this to be true?

Most modern implementations are smart enough to prevent this type of
spoofing from occurring because they maintain a state of knowing that the
IP's specified on the protected side will never be allowed from the
unprotected side.

--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet".


.



Relevant Pages

  • Re: Does IPv6 preclude use of a NAT gateway?
    ... the reason NAT works for IPv4 that I have been taught is the ... 192.168.xxx.xxx are illegal on the actual internet. ... internet legal address packets ARE legal on the inside. ... sends the envelope to your router. ...
    (Debian-User)
  • Re: Linksys WRT54G and Firewall software
    ... and it is completely unprotected on the LAN side. ... But what I have meant is that a average router is a very vulnerable ... NAT router's are not "secured" per se by default. ... NAT tries to match incoming packets to established connections and conversations. ...
    (comp.security.firewalls)
  • Re: Just want to keep the crap out!!
    ... But then it's not a NAT router. ... address in packets coming from outside. ... First line: Home-built linux firewall ...
    (comp.security.firewalls)
  • Re: nat problem
    ... to ensure that packets were using the router on which your NAT and route-map were configured. ... I made a new trace with wireshark (still for just one ping, ... then the packet is being dropped before or after NAT. ...
    (comp.dcom.sys.cisco)
  • Re: Circumventing NAT?
    ... > router with NAT. ... If a host had an address of 192.168.0.17 behind a router ... using source routed packets. ... a sensible firewall configuration should defeat these approaches. ...
    (alt.computer.security)