From Slashdot: Comcast goes after NAT users
Aaron
aaron at aarons.net
Fri Jan 25 17:52:18 CST 2002
Like I said... this is kind of a sophisticated process that involves cuting
your packets and over laying the destination port field with the second
fragment by manipulating the offset value in the IP header. Probably way
above anyone who would work for Comcast. (I'm assuming... no offense to any
Comcast employee's out there. :))
Trust me, there are tools out there that will tell you if a certain device
is a firewall and what kind of firewall it is. Also, keep in mind that NAT
is not firewalling. Also, if you use a firewall that allows only inbound
traffic that was initiated via an outbound connection you're fooling
yourself. I did a lab in my Network Security class last week in which we
manipulated the code bits in the header to fool the firewall into thinking
that our connection HAD been initiated from the target machine.
If you use Comcast, and are concerned about this, you'll need to do
something besides just try to circumvent thier detection methods. Some
press and pressure from thier customers is the only thing that's going to
change them.
Sorry about my rant.
Aaron
----- Marvin Said -----
> Can you give some details? I don't see how it is possible to see
> machines behind an IPF/IPNAT server.
>
More information about the Kclug
mailing list