Security
Aaron
aaron at aarons.net
Fri Jan 25 19:34:01 CST 2002
> The ip_always_defrag flag breaks RFC's, so shouldn't be used on a device
> with connections to the internet on both sides (ie a back-bone router or
> similar), but it works fine when you've got complete control of the "near"
> side of the network (ie most firewall environments, which is really where
> you care about fragment attacks anyway).
Exactly. If a firewall though, it's exactly what you want.
> Also curious...have you guys played with bypassing NAT translation to
> port-scan internal masqeraded systems? If so, how sophisticated are the
> tools to do this? I'm wondering how worried I should be about this form
of
> attack...
Yes. It takes a little skill and practice. Do a search on NMAP. I can't
remember where I got it. You'll be amazed how easy it is to bypass NAT and
some firewalls to scan internal systems. Play with it for a few days and
then tell me how worried you should be. ;)
Aaron
More information about the Kclug
mailing list