[Dshield] Architecture approach

Chris Brenton cbrenton at chrisbrenton.org
Fri Aug 12 13:46:42 GMT 2005

On Fri, 2005-08-12 at 07:11, Johannes B. Ullrich wrote:
> - Use of private address space in routers: Some ISPs use 10.x addresses
> for internal routers, or for admin access in devices (e.g. DSL/Cable
> modems). While there is no NAT involved here, it will still prevent
> directly addressing the device from outside the ISPs network.

A little trick I've found that seems to work a majority of the time is
to simply use loose source routing. You can usually bounce off of one of
the legal addresses on the ISP's backbone in order to reach the
privately addressed system in question. 

I *think* this works because many people misunderstand how "no ip
source-route" works on Cisco IOS. This *does not* drop all source route
packets, it only prevents that one specific router from being a bounce
hop. So you can not simply run this command at the perimeter. You have
to run it on every single router that is Internet reachable.

Just as an aside, this sometimes works through a firewall as well. Some
more ASCII art:

Firewall---DMZ/Service net with www, DNS, SMTP

In the above setup TCP/80 is usually open inbound to the Web server.
Some firewalls (I have the best luck with Netscreen) will simply pass a
TCP/80 packet to the Web server even though loose source routing is set.
If the Web server supports source routing, you can then bounce that
TCP/80 packet to any reachable system (other hosts on the service net
that may use it for management, internal net if the firewall is
mis-configured, use your imagination here). This is also a neat little
trick for relaying spam if the target has two SMTP servers.


More information about the list mailing list