From: Ralph Forsythe (rforsythe@5280tech.com)
Date: Tue Jul 11 2006 - 16:39:50 EDT
Were you actually NAT'ing out the FreeBSD box, or just using it to inspect
traffic to/from a public IP?
Any system that performs NAT has a finite amount of space in which to
translate packets. In the simplest case, you will be translating all
traffic out as one IP address (the external IP of the firewall/router).
Unless a smaller limit is imposed, your hard limit is always the number of
high ports available for the return traffic; (65536-1024)=64512. Some
devices also have a session, or 'state' limit, set lower. An example
would be the smaller Netscreen firewalls, which don't let you get anywhere
close to the number of potentially possibly high ports before the session
table fills up.
If nmap closes the connections and the NAT device clears the state, you'll
regain that entry for future use. However these things can take some time
to close or expire, so it is very possible to max out the table on any NAT
device if you can send enough new connections in a given span of time.
They're also typically designed so that once you have a state you keep it,
so if a user (or group of them) fills up the table nobody else will be
able to create a new entry until an old one closes or expires. Old states
won't be forced out in favor of new ones.
Some systems have rudimentary protection against this by way of limiting
the number of sessions any one host can open at a time; obviously gaining
control of several systems can bypass that control. Spoofing your IP as
many within the allowed netblock could also potentially let you do this
from one host.
Unless the NAT device fails in an open state (very very bad, and also
quite unlikely) you don't have much of a chance of actually breaching a
security barrier with this type of 'attack'. It is an effective DoS tool
however, since it will block new outbound connections from forming.
- Ralph
On Tue, 11 Jul 2006, Bob Middaugh wrote:
> Use FreeBSD. I've scanned aggressively with several nmap processes running, with no problem at all....and that box also does stateful packet inspection.
>
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:15 EDT