[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sflow NAT detection.



> > http://www.sflow.org/detectNAT/
> > Could pf defeat this in anyway?
> On April 13 I proposed a solution.
> http://hacking.openbsd.it/#RFC#10
Or just hardcode the TTL to 255.  Niels put it there at the inception of
the scrubber.
  "scrub out all min-ttl 255"
You can still use passive OS fingerprinting to identify a NAT gateway if
there are multiple OSes or revisions of the OSes behind the firewall.
The firewall can change the DF bit, the TCP option ordering, it can
decrement the window scaling and turn off the SACK option.  But it
isn't always possible to safely change the TCP window size or the MSS.
Luckily just changing the default TTL defeats the current passive OS
fingerprinting tools today and the ISP employees who would be looking at
this stuff typically aren't bright to figure out how to do a best-match
algorithm.
.mike
[email protected](nfr.com | cvs.openbsd.org | w4g.org)