In some mail from David G. Andersen, sie said: > > Thinking about ways to figure out how to get through firewalls, > the following attack occurred to me. The technique is similar > to "firewalk"ing (Goldsmith) and to IP ID reverse scanning (Antirez). > I call it next-hop scanning, because it operates by interrogating > a router after the firewall, not the target. [...] To combat this attack, and others that use the IP ID, the latest alpha of IPFilter 4.0[2] rewrites the ID field of _all_ outgoing IPv4 packets, in all directions, to be sequential and part of the same number space. This was done primarily to address problems raised in [1]. The implementation is not linked to NAT, so firewalls that do not use NAT are able to change the ID field. Darren [1] "A Technique for Counting NATted Hosts", Steven Bellovin, 2002 http://www.research.att.com/~smb/papers/fnat.pdf [2] http://coombs.anu.edu.au/~avalon/ipf40a25.tgz
