Re: Just want to keep the crap out!!

From: Volker Birk <bumens@xxxxxxxxxxx>
Date: 28 Mar 2006 09:57:00 +0200

Don Kelloway <usenet@xxxxxxxxxxxx> wrote:

An example for dynamic NAT:
To insert packets into the internal network behind NAT, you're just
sending
packages to the ports on the external interface of a NAT router, which
seem
to belong to connections NATed by the router. Usually, this is a fixed
range
of ports you have to try out.
An example for static NAT:
To insert a packet, which seems to come from inside, just spoof an IP
address like 192.168.0.1 for sender's IP address. Then you can insert
packages, which seem to come from inside.
Both are are very dangerous for UDP based protocols, of course. They are
dangerous, too, for weak TCP implementations like the one from older
Windows
versions.

On what device have you found this to be true?

On every I saw up to today.

Most modern implementations are smart enough to prevent this type of
spoofing from occurring because they maintain a state of knowing that the
IP's specified on the protected side will never be allowed from the
unprotected side.

Nice to hear. What I'm missing is an implementation I can see. With some
little filtering there is no problem anyways.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain
.

References:
- Just want to keep the crap out!!
  - From: dawg
- Re: Just want to keep the crap out!!
  - From: DigitalVinyl
- Re: Just want to keep the crap out!!
  - From: Volker Birk
- Re: Just want to keep the crap out!!
  - From: Rod Engelsman
- Re: Just want to keep the crap out!!
  - From: Volker Birk
- Re: Just want to keep the crap out!!
  - From: Rod Engelsman
- Re: Just want to keep the crap out!!
  - From: Volker Birk
- Re: Just want to keep the crap out!!
  - From: Rod Engelsman
- Re: Just want to keep the crap out!!
  - From: Volker Birk
- Re: Just want to keep the crap out!!
  - From: Don Kelloway

Prev by Date: Re: How to configure Norton in order to use Yahoo meseenger
Next by Date: Re: Belkin not-real-firewall?
Previous by thread: Re: Just want to keep the crap out!!
Next by thread: Re: Just want to keep the crap out!!
Index(es):
- Date
- Thread

Relevant Pages

NAT and access lists and IP INSPECT
... is a "catch all" NAT directive that will direct any incoming packets ... that have not been handled by a previous nat directive to host 10.0.0.11 ... only packets to ports for which there is a NAT ... Virus ports, do I still need an access list to block those? ...
(comp.dcom.sys.cisco)
Re: Routing and Remote Access NAT - I need to modify TTL
... with two interfaces: PUBLIC (internet) and PRIVATE ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL is ... but the replay that comes back to the NAT ... They relay on the fact that client computers accept packets with TTL=0, ...
(microsoft.public.windows.server.networking)
Re: Routing and Remote Access NAT - I need to modify TTL
... with two interfaces: PUBLIC (internet) and PRIVATE ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL is ... but the replay that comes back to the NAT ... They relay on the fact that client computers accept packets with TTL=0, ...
(microsoft.public.windows.server.networking)
Re: Routing and Remote Access NAT - I need to modify TTL
... with two interfaces: PUBLIC (internet) and PRIVATE ... Hosts on the LAN successfully acquire IP addresses from the NAT SERVER ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL ... They relay on the fact that client computers accept packets with TTL=0, ...
(microsoft.public.windows.server.networking)
Re: How did they get behind my NAT?
... my previous ADSL provider, Telefonica Spain. ... NAT is implemented - is the ADSL device doing the NAT or do you have a ... Sorry I wasn't clear - the ADSL router is the NAT device. ... that use NAT to 1 IP, but they forward ALL ports inbound to that IP - so ...
(alt.computer.security)