Tweet
Some techniques exists for an attacker attempting to evade a firewall.
IP Address Spoofing
One way an attacker can attempt to evade a firewall is to appear as something else such as a trusted host. Using spoofing to modify IP address information, the attacker can make the source of the attack appear as if the traffic is coming from a host trusted by the firewall. This may leave the attacker blind meaning he will likely not be able to see the responses from the target host.
Source Routing
When using source routing, the attacker designates the route a packet should take through the network in such a way that the designated route should bypass the firewall entirely, evading any restrictions the firewall has in place. Through the use of source routing, it is entirely possible for the attacker to specify the route he wishes the packet to use, instead of leaving it up to the routing protocol the organization has in place. This technique may also enable an attacker to reach a target host that is normally unreachable from the location of the attacker. This may include private RFC 1918 IP addresses that should not be present on the Internet. This kind of attack can also be combined with IP address spoofing to further complicate detection and increase the chance of evasion. When combined with IP address spoofing, the attacker may have the ability to use a spoofed source address and still receive a response. Source routing also known as path addressing, is rarely needed and unless there is a special need, it should be disabled.
Fragmentation
The attacker uses the IP fragmentation technique to divide a packet into extremely small fragments and force the TCP header information into the next fragment. This may result in a situation where the TCP flags field is being forced into the second fragment of the packet. As the first fragment passes, the firewall is unable to check the TCP flags and may let it pass.
Use IP Addresses
In some cases it is possible to evade or bypass a firewall if the attacker uses an IP address instead of a domain in an URL to access a website. This is because some security appliances only look at names when filtering web traffic. Often this is a configuration option and not a limitation in the device itself. This attack is usually one that is being executed in a browser of some sort. Another option related to this is the use of website anonymizers or open public proxy servers to get around the firewall or website restriction of an organization.
ICMP Tunneling
ICMP tunneling is an option for evading a firewall by using the defined rules of the ICMP protocol defined in RFC 792 which states the format and structure of the packet. The issue is that the RFC does not define what the payload of the packet should be, the data portion, and can be completely arbitrary, thus allowing for almost anything to be included. This is also useful for a disgruntled employee to sneak out information from inside an organization.
ACK Tunneling
Firewalls may not verify TCP ACK packets which makes these packets useful for tunneling traffic through a firewall thus bypassing the filter in place. The reason for this is that ACK packets are used to acknowledge that previously sent data has been received by the intended host therefore assumed to be legitimate traffic. An attacker can leverage this technique by sending packets with the ACK flag set to bypass or evade firewalls.
HTTP Tunneling
The HTTP protocol is also capable of tunneling data through a firewall and works very well as HTTP traffic is commonly allowed through a firewall. HTTP traffic is not just commonly allowed but often being deployed as part of the day-to-day work and almost all organizations have Internet access today.
Most of these techniques may also aid in evading other kinds of security appliances and is not limited to firewalls.
IP Address Spoofing
One way an attacker can attempt to evade a firewall is to appear as something else such as a trusted host. Using spoofing to modify IP address information, the attacker can make the source of the attack appear as if the traffic is coming from a host trusted by the firewall. This may leave the attacker blind meaning he will likely not be able to see the responses from the target host.
Source Routing
When using source routing, the attacker designates the route a packet should take through the network in such a way that the designated route should bypass the firewall entirely, evading any restrictions the firewall has in place. Through the use of source routing, it is entirely possible for the attacker to specify the route he wishes the packet to use, instead of leaving it up to the routing protocol the organization has in place. This technique may also enable an attacker to reach a target host that is normally unreachable from the location of the attacker. This may include private RFC 1918 IP addresses that should not be present on the Internet. This kind of attack can also be combined with IP address spoofing to further complicate detection and increase the chance of evasion. When combined with IP address spoofing, the attacker may have the ability to use a spoofed source address and still receive a response. Source routing also known as path addressing, is rarely needed and unless there is a special need, it should be disabled.
Fragmentation
The attacker uses the IP fragmentation technique to divide a packet into extremely small fragments and force the TCP header information into the next fragment. This may result in a situation where the TCP flags field is being forced into the second fragment of the packet. As the first fragment passes, the firewall is unable to check the TCP flags and may let it pass.
Use IP Addresses
In some cases it is possible to evade or bypass a firewall if the attacker uses an IP address instead of a domain in an URL to access a website. This is because some security appliances only look at names when filtering web traffic. Often this is a configuration option and not a limitation in the device itself. This attack is usually one that is being executed in a browser of some sort. Another option related to this is the use of website anonymizers or open public proxy servers to get around the firewall or website restriction of an organization.
ICMP Tunneling
ICMP tunneling is an option for evading a firewall by using the defined rules of the ICMP protocol defined in RFC 792 which states the format and structure of the packet. The issue is that the RFC does not define what the payload of the packet should be, the data portion, and can be completely arbitrary, thus allowing for almost anything to be included. This is also useful for a disgruntled employee to sneak out information from inside an organization.
ACK Tunneling
Firewalls may not verify TCP ACK packets which makes these packets useful for tunneling traffic through a firewall thus bypassing the filter in place. The reason for this is that ACK packets are used to acknowledge that previously sent data has been received by the intended host therefore assumed to be legitimate traffic. An attacker can leverage this technique by sending packets with the ACK flag set to bypass or evade firewalls.
HTTP Tunneling
The HTTP protocol is also capable of tunneling data through a firewall and works very well as HTTP traffic is commonly allowed through a firewall. HTTP traffic is not just commonly allowed but often being deployed as part of the day-to-day work and almost all organizations have Internet access today.
Most of these techniques may also aid in evading other kinds of security appliances and is not limited to firewalls.