On Wed, 28 Mar 2012 13:36:49 -0700, Leo Bicknell said:
I think some engineers need to ask some interesting questions, like how, in a box doing NAT to an outside IP, does it ever emit a packet not from that outside IP? The fact that you can spoof packets through some of the NAT implementations out there is mind-blowing to me.
The mind-blowing part for me: Look at the MIT spoofing website, at what percent of the net's address space is spoofable. Then consider what percent of the net is behind a NAT (either consumer grade, or enterprise NAT). http://spoofer.csail.mit.edu/summary.php They're reporting that 20% or so (eyeballing) is unable to spoof due to a NAT. From that, and a guess of what % is *really* behind a NAT, we can make an estimate of how common this failure mode is.