P2P + SSL + IP spoofing = TriangleBoy
# Corporations, governments, and other entities have begun to
# block access to SafeWeb in an effort to thwart our mission
# to promote the free flow of information and ideas on the
# Internet and to protect the online privacy rights of all
# Internet users.
# Triangle Boy is a free, open source, peer-to-peer application
# that will bypass firewalls and other mechanisms that attempt
# to block access to SafeWeb. Users who are currently blocked
# from directly accessing SafeWeb (or any other site) will be
# able to access it indirectly through any other computer
# running Triangle Boy.
This diagram is most instructive in understanding how it works:
I think the approach is pretty clever, turning any TriangleBoy
machine into a 1-way (outbound) proxy.
It strikes me that if peers behind NATs/firewalls can send out
spoofed packets, a "dual-faced" TriangleBoy could provide an
efficient generalized NAT/firewall traversal capability for
(a) Peers behind NATs who want to communicate,
A and B, each open outbound TCP sockets to
facilitator machine C.
(b) Machine C informs each of A and B of the
parameters they require to spoof C's packets.
(c) When A wants to push data to B, it sends
it as packets spoofed to look like C-initiated
traffic on the B->C connection. When B wants
to push data to A, it spoofs packets to look
like C-initiated traffic on the A->C
Unlike other strategies involving an intermediate relay,
host C in this case only needs to be involved in the
initial setup and (possibly) forwarding of certain control
packets. The data itself goes direct between NAT-shielded
peers. Thus an intermediary C using this approach could
connect many more shielded peers than if it had to relay
So: do many (or any) common NATs/firewalls allow outbound
- On Wed, 4 Apr 2001, Gordon Mohr wrote:
> It strikes me that if peers behind NATs/firewalls can send outBesides coder's objection, spoofed packets are just plain bad. Since so
> spoofed packets, a "dual-faced" TriangleBoy could provide an
> efficient generalized NAT/firewall traversal capability for
> P2P applications.
many attacks involve spoofed packets, most ISPs block them. I don't think
NAT2NAT is compelling enough to change that.
Wesley Felter - wesley@... - http://felter.org/wesley/
- Wesley Felter writes:
> On Wed, 4 Apr 2001, Gordon Mohr wrote:Well shucks. Spoofed packets would also be a nice way to
> > It strikes me that if peers behind NATs/firewalls can send out
> > spoofed packets, a "dual-faced" TriangleBoy could provide an
> > efficient generalized NAT/firewall traversal capability for
> > P2P applications.
> Besides coder's objection, spoofed packets are just plain bad. Since so
> many attacks involve spoofed packets, most ISPs block them. I don't think
> NAT2NAT is compelling enough to change that.
anonymously deliver content, without having to advertise
its available locations in ways that enforcement-bots can
find just as easily as average folks.
- On Wed, Apr 04, 2001 at 06:17:09PM -0500, coder wrote:
>Ever since readon that one book by the guy everybody hated for
>> So: do many (or any) common NATs/firewalls allow outbound spoofed
being so arrogant, the SATAN author, the first thing I do when I set up
firewall rules is blocking spoofed packets. Whole big classes of attack
suddenly down the drain. :-) It also prevents my host from being used
as a zombie in a DDoS attack without someone being able to track me down
and tell me.
Have fun (if at all possible),
The best we can hope for concerning the people at large is that they
be properly armed. -- Alexander Hamilton
-- Eric Hopper (hopper@... http://www.omnifarious.org/~hopper) --