Loading ...
Sorry, an error occurred while loading the content.
 

P2P + SSL + IP spoofing = TriangleBoy

Expand Messages
  • Gordon Mohr
    From: https://fugu.safeweb.com/webpage/tboy1.php3 # Corporations, governments, and other entities have begun to # block access to SafeWeb in an effort to
    Message 1 of 5 , Apr 4, 2001
      From:
      https://fugu.safeweb.com/webpage/tboy1.php3

      # Corporations, governments, and other entities have begun to
      # block access to SafeWeb in an effort to thwart our mission
      # to promote the free flow of information and ideas on the
      # Internet and to protect the online privacy rights of all
      # Internet users.
      #
      # Triangle Boy is a free, open source, peer-to-peer application
      # that will bypass firewalls and other mechanisms that attempt
      # to block access to SafeWeb. Users who are currently blocked
      # from directly accessing SafeWeb (or any other site) will be
      # able to access it indirectly through any other computer
      # running Triangle Boy.

      This diagram is most instructive in understanding how it works:
      https://fugu.safeweb.com/webpage/w_tboy.pdf

      I think the approach is pretty clever, turning any TriangleBoy
      machine into a 1-way (outbound) proxy.

      It strikes me that if peers behind NATs/firewalls can send out
      spoofed packets, a "dual-faced" TriangleBoy could provide an
      efficient generalized NAT/firewall traversal capability for
      P2P applications.

      Specifically:

      (a) Peers behind NATs who want to communicate,
      A and B, each open outbound TCP sockets to
      facilitator machine C.
      (b) Machine C informs each of A and B of the
      parameters they require to spoof C's packets.
      (c) When A wants to push data to B, it sends
      it as packets spoofed to look like C-initiated
      traffic on the B->C connection. When B wants
      to push data to A, it spoofs packets to look
      like C-initiated traffic on the A->C
      connection.

      Unlike other strategies involving an intermediate relay,
      host C in this case only needs to be involved in the
      initial setup and (possibly) forwarding of certain control
      packets. The data itself goes direct between NAT-shielded
      peers. Thus an intermediary C using this approach could
      connect many more shielded peers than if it had to relay
      all traffic.

      So: do many (or any) common NATs/firewalls allow outbound
      spoofed packets?

      - Gojomo
    • coder
      ... Nope.
      Message 2 of 5 , Apr 4, 2001
        > So: do many (or any) common NATs/firewalls allow outbound
        > spoofed packets?
        >


        Nope.
      • Wesley Felter
        ... Besides coder s objection, spoofed packets are just plain bad. Since so many attacks involve spoofed packets, most ISPs block them. I don t think NAT2NAT
        Message 3 of 5 , Apr 4, 2001
          On Wed, 4 Apr 2001, Gordon Mohr wrote:

          > It strikes me that if peers behind NATs/firewalls can send out
          > spoofed packets, a "dual-faced" TriangleBoy could provide an
          > efficient generalized NAT/firewall traversal capability for
          > P2P applications.

          Besides coder's objection, spoofed packets are just plain bad. Since so
          many attacks involve spoofed packets, most ISPs block them. I don't think
          NAT2NAT is compelling enough to change that.

          Wesley Felter - wesley@... - http://felter.org/wesley/
        • Gordon Mohr
          ... Well shucks. Spoofed packets would also be a nice way to anonymously deliver content, without having to advertise its available locations in ways that
          Message 4 of 5 , Apr 4, 2001
            Wesley Felter writes:
            > On Wed, 4 Apr 2001, Gordon Mohr wrote:
            > > It strikes me that if peers behind NATs/firewalls can send out
            > > spoofed packets, a "dual-faced" TriangleBoy could provide an
            > > efficient generalized NAT/firewall traversal capability for
            > > P2P applications.
            >
            > Besides coder's objection, spoofed packets are just plain bad. Since so
            > many attacks involve spoofed packets, most ISPs block them. I don't think
            > NAT2NAT is compelling enough to change that.

            Well shucks. Spoofed packets would also be a nice way to
            anonymously deliver content, without having to advertise
            its available locations in ways that enforcement-bots can
            find just as easily as average folks.

            - Gojomo
          • Eric M. Hopper
            ... Ever since readon that one book by the guy everybody hated for being so arrogant, the SATAN author, the first thing I do when I set up firewall rules is
            Message 5 of 5 , Apr 4, 2001
              On Wed, Apr 04, 2001 at 06:17:09PM -0500, coder wrote:
              >
              >> So: do many (or any) common NATs/firewalls allow outbound spoofed
              >> packets?
              >
              > Nope.

              Ever since readon that one book by the guy everybody hated for
              being so arrogant, the SATAN author, the first thing I do when I set up
              firewall rules is blocking spoofed packets. Whole big classes of attack
              suddenly down the drain. :-) It also prevents my host from being used
              as a zombie in a DDoS attack without someone being able to track me down
              and tell me.

              Have fun (if at all possible),
              --
              The best we can hope for concerning the people at large is that they
              be properly armed. -- Alexander Hamilton
              -- Eric Hopper (hopper@... http://www.omnifarious.org/~hopper) --
            Your message has been successfully submitted and would be delivered to recipients shortly.