I was talking to a network scanner (think: nmap, but commercial) vendor recently. They said something like:
We keep track of multi-homed systems by encoding a unique payload in packets we send. If we send to one IP, and get that payload back in a reply from a different IP, then we know it's the same system.
The specific examples of payload they gave were:
- ICMP echo-reply payload
- TCP SYN probe initial sequence value
So, okay... I think I understand the technique. But I don't understand how it helps. Like, ever.
Under what circumstances might I send a ping (or TCP SYN) to address "A", and get a reply stamped with "B" in the source IP field?
The only examples I can think of are:
- a contrived situation with asymmetric paths and NAT (not actually an example of multi-homing, but half-broken inline address swapping)
- some terrible microcontroller IP stacks which don't validate fields in the IP header, will respond no matter what you call them (also not an example of multi-homing: you have to go out of your way to make this happen)
Anybody have an example that I might be able to reproduce?
Thanks!
No comments:
Post a Comment