Traceroute through DNS
Consider the case of a Firewall configured to permit DNS domainqueries through, on UDP port 53. As UDP is a connectionless protocol,
the Firewall would need to allow the traffic in both directions - indeed
the default policy settings of Checkpoint’s Firewall-1 to version 4.0
permitted not only 53/UDP but 53/TCP too.
A standard traceroute to a host behind the Firewall would be blocked
by the ruleset, leaving the last hop revealed to be the gateway upstream
from the Firewall.
If, however, we construct our traceroute such that the source packet of
the traceroute packet that arrives at the packet filter is UDP/53, then
the DNS query rule would allow the packet through, revealing data for
one further hop.
Further information on how to calculate the correct initial port to
exploit a Firewall ruleset and reveal network information through a
Firewall can be found in David Goldsmith and Michael Schiffman’s
article Firewalking [1998] -
http://www.packetfactory.net/Projects/Firewalk/firewalk-final.html
Risk Level
Whether constructed traceroutes are discovered is dependant on how
the security device has been configured. If this type of attack is
expected, then special filters could have been set up on key UPD ports.
As such, we will categorize this technique as a Medium risk.
No comments:
Post a Comment