Its still implemented in the TCP/IP stack, unless you have a high powered router like a cisco and manually disable it, it still works. While it would be helpful it they knew what you had, most will just scan likely address blocks and hope for a return. If you have a firewall, I personally recommend what I call a christmas tree filter. Drop all packets with any TCP/IP option flag set, none of them are used in production environments. (at least nowhere I've worked at)
>From: Johan De Meersman <[EMAIL PROTECTED]> >To: Chris Berry <[EMAIL PROTECTED]> >Subject: Re: Network Address Translation insecurities >Date: Fri, 27 Sep 2002 14:46:59 +0200 > >Chris Berry wrote: > >>That is totally incorrect, although it might make it marginally harder for >>amateurs, the attacker can bypass NAT by specifying the route for the >>packet to take. This is called source routing, now if you were to drop >>source routed packets at the firewall then I'm not sure what they could >>do, perhaps someone else could chime in with a comment on that? > >Correct me if I'm wrong, but hasn't source routing been obsoleted ages ago >? Most current routers should just ignore any source-routed packages. >Moreover, source routing would require the attacker to have an intimate >knowledge of the NATted network topology. > >> >> >>>From: "Schuler, Jeff" <[EMAIL PROTECTED]> >>>To: [EMAIL PROTECTED] >>>Subject: Network Address Translation insecurities >>>Date: Wed, 25 Sep 2002 10:17:04 -0700 >>> >>>I am looking for information regarding the insecurities and >>>vulnerabilities >>>that exist in Network Address Translation. One of our admins feels that >>>because everything is NAT'd that there is no way anyone can break into >>>the >>>systems that are NAT'd. I know that this is not a completely accurate >>>statement but need to find some research and documentation regarding >>>this. >>>All our systems are behind at least one firewall so please don't advise >>>me >>>to install a firewall as extra security as they are already there. I >>>just >>>want to make sure that we are not overlooking serious vulnerabilities >>>just >>>because the box is behind a NAT. In order to justify doing vulnerability >>>testing on some of our internal systems I need to demonstrate the >>>insecurities in NAT. >>> >>>Thanks in advance >>> >>>Jeff Schuler >> >> >> >> >> >>Chris Berry >>[EMAIL PROTECTED] >>Systems Administrator >>JM Associates >> >>"I have found the way, and the way is Perl." >> >> >>_________________________________________________________________ >>Chat with friends online, try MSN Messenger: http://messenger.msn.com > > > >-- >Public GPG key at blackhole.pca.dfn.de . > ><< attach3 >> Chris Berry [EMAIL PROTECTED] Systems Administrator JM Associates "I have found the way, and the way is Perl." _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com