how to hide your network ...

Jerome Petazzoni skaya@enix.org
Fri, 21 Dec 2001 23:37:51 +0100 (CET) 

[to avoid mapping of the network...]
>> |> You can drop incoming echo-requests to stop ping to your interface,
>> |> and drop outgoing time-exeeded to drop reply to traceroute.

IMHO, a more elegant (and funnier!) way to "protect" yourself is,
instead of DROPping packet, REJECT them with the appropriate behaviour.
someone trying to map your network will be :
- fooled about the actual size of it. suppose you have a /24 subnet ;
  if every address answers to ICMP echo requests, even when there's no
  machine behind it, "they" won't be able to know how many hosts you
  have.
- fooled about the presence of a firewall. traditional behaviour is
  to DROP suspicous things. if you send "icmp port unreachable" for UDP,
  and "rst" for TCP, they won't know that the thing is firewalled, they
  will just think (wrongly!) that the port is not filtered at the firewall.
- unable to differentiate between your hosts, and thus can't guess which
  are "important".
- logged very easily, with few "false probes". i.e., if you have 3 IP
  addresses not attributed to any machine, any traffic sent to all 3
  is surely suspect.

if you're really wicked & vicious, you can play with the "random" match,
and do random things to "unauthorized" packets, including :
- dropping them
- sending a "port unreachable" or any other ICMP code
- MIRROR'ring them
- DNAT the TCP connections to a few choosed targets (your ident daemon,
  a "date" server, whatever...)

and last tip : if you want your firewall to be really invisible, you
can play with the TTL target to increase the TTL of packets going thru
it, so it won't even show up on traceroute. 

if you have other ideas of similar things, I'd be rather interested,
as IMHO, the perfect firewall is not a wall of impassable bricks, but
a wall apparently made of glass, but in fact it's just a very good painting 
on the bricks ;-)

regards,
Jerome Petazzoni <skaya at enix dot org>
--
'There's stranger people in this world than Corporal Nobbs, my lad.'
Carrot's expression slid into a rictus of intrigued horror.
'Gosh.'
(Men at Arms)