Chris Berry wrote: > Its still implemented in the TCP/IP stack, unless you have a high > powered router like a cisco and manually disable it, it still works. > While it would be helpful it they knew what you had, most will just > scan likely address blocks and hope for a return. If you have a > firewall, I personally recommend what I call a christmas tree filter. > Drop all packets with any TCP/IP option flag set, none of them are > used in production environments. (at least nowhere I've worked at)
I stand corrected :) Thanks for the info, and since we're closing in on the season, I'll put up my christmas tree as your recommend :) > > > >> From: Johan De Meersman <[EMAIL PROTECTED]> >> To: Chris Berry <[EMAIL PROTECTED]> >> Subject: Re: Network Address Translation insecurities >> Date: Fri, 27 Sep 2002 14:46:59 +0200 >> >> Chris Berry wrote: >> >>> That is totally incorrect, although it might make it marginally >>> harder for amateurs, the attacker can bypass NAT by specifying the >>> route for the packet to take. This is called source routing, now if >>> you were to drop source routed packets at the firewall then I'm not >>> sure what they could do, perhaps someone else could chime in with a >>> comment on that? >> >> >> Correct me if I'm wrong, but hasn't source routing been obsoleted >> ages ago ? Most current routers should just ignore any source-routed >> packages. Moreover, source routing would require the attacker to have >> an intimate knowledge of the NATted network topology. > -- Public GPG key at blackhole.pca.dfn.de .
msg08546/pgp00000.pgp
Description: PGP signature