Re: Hiding NATs with PF

From: Max Bolingbroke (batterseapower_at_hotmail.com)
Date: 09/28/05 

Date: 28 Sep 2005 07:47:05 -0700

jpd wrote:
> Begin <Npednaa2cOAFZKTeRVnytQ@pipex.net>
> On 2005-09-28, Max Bolingbroke <batterseapower{no@spam}hotmail.com> wrote:
> > This has covered the two main bases: TTL monitoring and statistical
> > analysis of IP IDs. However, I'm still going to be vunerable to passive
> > OS fingerprinting.
>
> Vulnerable in what way? If the boxen behind it aren't reachable there
> isn't much to attack on that level, now is there?

I'm not concerned about attacks here, I was talking about the scenario
whereby my outgoing requests could be captured and analysed to
determine I had more than 1 OS accessing the internet simultaneously.
This would make the NAT "visible".

> > Are there any further ways I can have PF munge my
> > outgoing packets so look like they all come from the same flavour of TCP
> > stack?
>
> Thought of upper-level leakage, like received: headers in outgoing email?

Sure have. Since my original post I've implemented a transparent Squid
proxy which scrubs my outgoing HTTP requests of identifying
information. I'm less worried about infrequently used protocols like
SMTP/POP since they are quite unusual ways to detect, which would most
likely require manual monitoring. I just want to be able to beat
automatic tools here: it's simply to hard to win against a human to be
worth it.

Thanks for your reply,

Max