Few days ago,I would like to test my isp whether they would filter spoofing packets.So,I configured small labs to test.
My steps are......
1.Baught two different public ip from my isp
2.attacker ip 1.1.1.1(assumed) ran with totolink router with NAT enabled
3.target ip 2.2.2.2(assumed) ran with dlink router with NAT enabled and a full firewall log
4.run "nmap -D ip1,ip2,ip3 2.2.2.2" on 1.1.1.1 machine
If things went properly,I would see there are different ip in my 2.2.2.2's firewall log
However,the log only showed 1.1.1.1
So,I came up with some reasons. And I will show it in a Q&A form for you guys.
Q1:My isp detected the nmap usage
A1:It is impossibe(I am confident).Because I have done some research on nmap source code and open source ids' rules.My custom nmap should pass the ips.The test for well-known ids+firewall had done in my LAN.(Also,my country is lack of security awareness,so the isp......)
Q2:the 2.2.2.2(dlink)drop the spoofed packet
A2:Maybe.But I had disabled all security options(include ip spoofing protection) before testing
Q3:1.1.1.1(totolink)'s NAT firewall disrupted it. And the process may be like.....
#######################
part of normal raw ip packet
Destination:192.168.1.1
Source:192.168.1.15
while went through NAT
Destination:2.2.2.2
Source:1.1.1.1
#######################
#######################
part of spoofing raw ip packet
Destination:192.168.1.1
Source:203.51.21.78(decoy ip)
while went through NAT
Destination:2.2.2.2
Source:1.1.1.1(Thus 2.2.2.2 only showed 1.1.1.1 in log)
#######################
A3:I am not sure......
/* Will NAT change all kinds of source ip(from 0.0.0.0 to 255.255.255.255) to public ip? or just change the internal ip(like 192.168.1.10, 192.168.1.15,.......) to public ip!!! Is is hard for me to lauch a shell in a router to see the NAT rules. I am considering to use command injection to exploit my router. However, I am afraid of breaking it. So, I prefer listening to you guys answer */
So,you guys think what is the most possible problem?
Note:Sorry for my ugly expression,this is my first quesion :D
Reset to default
