Firewalking, a new method to gather information on a remote host.
29 Oct. 1998
Summary
Firewalking, a concept devised by David Goldsmith and Michael Schiffman, where by sending specially create packets, a person can determine whether a port/service can 'pass through' a firewall/router or not without the need for the remote port/service to be provided by any of the hosts being examined.
Firewalking uses a feature of the IP stack that enables packets to "live" a certain duration of "time", before being discarded (known as TTL, Time To Live). The feature enables the user of the program, to set the TTL so when it passes the firewall/router and reaches another device (it can be another firewall/router or a remote host) it will "die" (and send back a packet acknowledging it) before been processed by the stack of that device which will decide whether the packet should be serviced.
By using this method a malicious user could determine whether a port is allowed to pass along the router/firewall or it is being "dropped" by the router/firewall. With this knowledge a malicious person could make his port scans "hidden" by limiting the scans to only those ports which are allowed to pass trough the router/firewall (and theoretically also not logged).
