Evading Firewalls

IP Address Spoofing

One effective way an attacker can evade a firewall is to appear as something else, such as a trusted host. Using spoofing to modify address information, the attacker can make the source of an attack appear to come from someplace else rather than the malicious party.

Source Routing

Using this technique, the sender of the packet designates the route that a packet should take through the network in such a way that the designated route should bypass the firewall node. Using this technique, the attacker can evade the firewall restrictions.

Through the use of source routing, it is entirely possible for the attacker or sender of a packet to specify the route they want it to take instead of leaving such choices up to the normal routing process. In this process the origin or source of a packet is assumed to have all the information it needs about the layout of a network and can therefore specify its own best path for getting to its destination.

By employing source routing, an attacker may be able to reach a system that would not normally be reachable. These systems could include those with private IP addresses or those that are protected under normal conditions from the Internet. The attacker may even be able to perform IP spoofing, further complicating detection and tracing of the attack by making the packet’s origin unknown or different from its actual origin.

Fortunately, the easiest way to prevent source routing is to configure routers to ignore any source routing attempts on the privately controlled network.

Fragmentation

The attacker uses the IP fragmentation technique to create extremely small fragments and force the TCP header information into the next fragment. This may result in a case where the TCP flags field is forced into the second fragment, while filters can check these flags only in the first octet. Thus the IDS ignores the TCP flags.

IP Addresses to Access Websites

A mechanism that is effective in some cases at evading or bypassing a firewall is the use of an IP address in place of a URL. Since some firewalls only look at URLs instead of the actual IP address, use of the address to access a website can allow an attacker to bypass the device.