AthlGrond
Premium,MVM
join:2002-04-25
Aurora, CO | reply to amenite
Re: Rolling my own
Thanks, I reread it and much clearer now. You are correct. |
|
amenite
The Soylent - It's People
Premium
join:2002-11-21
Ridgewood, NJ
clubs:
 ·Verizon Online DSL
| reply to AthlGrond
said by AthlGrond  :
said by amenite :
The ID in question is the IP id string assigned to each packet by the OS, not the IP address of the NAT device.
Are the IPid's not assigned by the NAT device? Seems like they would have to be. (so the NAT device could send the packets to the correct IP in the LAN)
According to the article, the "IP id" field is generated by the host, and is only used to reassemble fragmented packets. It must be unique among all packets of one protocol that have the same source and destination address (to allow for correct reassembly in case of fragmentation). I am assuming that the NAT device only alters the source IP, or leaves enough of the IP id string intact to allow the technique to work.
--
Time is an abstract concept invented by carbon based life forms to monitor their constant decay.-Thunderclese |
|
AthlGrond
Premium,MVM
join:2002-04-25
Aurora, CO
 ·Comcast
| reply to amenite
said by amenite :
The ID in question is the IP id string assigned to each packet by the OS, not the IP address of the NAT device.
Are the IPid's not assigned by the NAT device? Seems like they would have to be. (so the NAT device could send the packets to the correct IP in the LAN) |
|
amenite
The Soylent - It's People
Premium
join:2002-11-21
Ridgewood, NJ
clubs:
·Verizon Online DSL
| reply to pvale
said by pvale :
What if you are running 2 NAT devices in series? I'm running a Freesco PC-made-into-router, feeding a Netgear RT314, and my machines are connected behind the Netgear box. I haven't read the mentioned paper, but the only ID that would show on the WAN side of the Freesco would be the Netgear's. Since Freesco is built on a small Linux distribution, I'm sure I can change what it does/reports.
The ID in question is the IP id string assigned to each packet by the OS, not the IP address of the NAT device. It only has to do with the IP address in that you would be monitoring/analyzing the all packet headers originating from a particular IP address.
--
Time is an abstract concept invented by carbon based life forms to monitor their constant decay.-Thunderclese |
|
amenite
The Soylent - It's People
Premium
join:2002-11-21
Ridgewood, NJ
clubs:
·Verizon Online DSL
| reply to succintly put
said by succintly put:
...
You can get a lot more advice and help in the 'All Things Unix' forum. I -may- get a friend to write and post a 'how-to' in ATU when I'm done. 'nuff said.
That would be excellent, the topic is a little obscure to many of us.
--
Time is an abstract concept invented by carbon based life forms to monitor their constant decay.-Thunderclese |
|
succintly put
@207.99.x.x
| reply to amenite
Iptables supports 'packet mangling' as just one of it's many functions. Packet mangling changes the packet headers.
You can get a lot more advice and help in the 'All Things Unix' forum. I -may- get a friend to write and post a 'how-to' in ATU when I'm done. 'nuff said. |
|
pvale
Lurk, Lurk, Lurk,They Call Me The Lurker
join:2000-03-29
Washington, MO
clubs:
·Charter Pipeline
| reply to hescominsoon
What if you are running 2 NAT devices in series? I'm running a Freesco PC-made-into-router, feeding a Netgear RT314, and my machines are connected behind the Netgear box. I haven't read the mentioned paper, but the only ID that would show on the WAN side of the Freesco would be the Netgear's. Since Freesco is built on a small Linux distribution, I'm sure I can change what it does/reports.
--
Using ET photons (Solar Power) to search for ET. |
|
amenite
The Soylent - It's People
Premium
join:2002-11-21
Ridgewood, NJ
clubs:
·Verizon Online DSL
| reply to Kylemaul
said by Kylemaul :
Errrrrrr....could you dumb your post down a little for us poor novices? How do you determine if your NAT router has the capability to disable decrementing a counter? And what is decrementing and what is 'the counter'?
Don't know what routers might allow you to change the ip header info, but once you read the article the idea is pretty straight forward, the IP header info contains an ID string, which is [often/usu.?] assigned in incremental order, like a counter. Knowing the OS, how it handles the numbering, and analyzing the IP id can give you some idea of the hosts behind the NAT device.
--
Time is an abstract concept invented by carbon based life forms to monitor their constant decay.-Thunderclese |
|
DonLibes
Premium,ExMod 2001
join:2003-01-19 | reply to Kylemaul
I think the reference to decrementing the counter was a reference to TTL. But that's not how Bellovin's technique worked. |
|
Kylemaul
Lovin' My Firefox 1.5.x
Premium
join:2001-03-30
North Port, FL
clubs:
 ·Verizon FIOS
| reply to hescominsoon
Errrrrrr....could you dumb your post down a little for us poor novices? How do you determine if your NAT router has the capability to disable decrementing a counter? And what is decrementing and what is 'the counter'?
--
'The tighter the RIAA squeezes their fingers, the more stars and systems will slip through their fingers.' |
|
hescominsoon
join:2003-02-18
Brunswick, MD | reply to succinctly put
so far this is easy to defeat..do not let NAT decrement the counter..and use a firewall(either in the NAT box itself or the clients) that block OS fingerprinting..problem solved.
--
God Blesshttp://www.faithwalk.org |
|
