Firewall Responses
The pattern behavior above has been noted by a number of firewallvendors, who have improved the obscurity of the response by spoofing
the source address of the RST/ACK packet to be that of the target host.
As such, the response received by an inquisitive attacker will be a RST/
ACK from the target, rather than the gateway. This is, of course,
ambiguous as it implies that the packet has reached the target before
being rejected, when we may have already surmised that there is, in
fact a gateway filtering the traffic.
Commonly in modern Firewall and IDS environments, rather than
deny or reject policies outside the acceptable policy, the security devices
will simply drop the packet without comment. As the scanner never
receives a positive or negative response, there is no way of telling
whether the packet did not reach the target because of network
problems or whether the target no longer exists or if the packet was
intentionally drop en route.
This is possibly the biggest hindrance to an attacker, as not only do the
scans reveal no information about the target hosts, the resulting
ambiguity and timeouts will slow down the scanning process, and
prevent many tools from revealing information of any value
whatsoever.
Despite this, hping represents a powerful tool when used in
conjunction with the analysis techniques already discussed.
No comments:
Post a Comment