Usually, direct tracing through the firewall is impossible , because no administrators like to disclose the details of their networks' internal structure. Thus, the attacker has to resort to various cunning tricks.
For example, the firewalk utility is a classical tracer sending TCP or UDP packets that ensure that their TTL turns to zero on the host directly following the firewall, making the system generate the ICMP_TIME_EXCEEDED message. With this feature, firewalk demonstrates stable operation even when built-in standard tools fail, although firewalk is unable to overcome a strongly-protected firewall. Thus, to bypass firewalls with strong protection, attackers must use more advanced algorithms.
Assume that the ID of each newly-sent IP packet is increased by one (which most commonly is the case). On the other hand, according to the RFC-793 specification, which describes TCP, each host that has received a foreign packet that doesn't relate to any of the established TCP connections must react to such a packet by sending RST. To implement the attack, the intruder needs a remote host that is not processing irrelevant traffic. Such hosts generate predictable sequences of IDs. In hacker jargon, such a host is called dumb. Locating a dumb host is an easy task. It is enough to send a sequence of IP packets to it and analyze the ID values returned in the headers. Then the attacker memorizes (or records) the ID of the last received packet, chooses a suitable target for attack, and sends a SYN packet to it with the value of the dumb host in the return address field. The attacked host, considering that the dumb host tries to establish a TCP connection to it, will reply: SYN/ACK. The dumb host, having received an irrelevant SYN/ACK, returns RST and increases its ID counter by one. Having sent another packet to the dumb host, the hacker, by comparing the returned ID with the expected one, will be able to find out whether or not the dumb host sent the RST packet to the target computer. If it has sent an RST packet, this means that the host being attacked is active and confirms establishment of the TCP connection to the predefined port. If desired, the hacker can scan all ports of interest without the risk of being noticed; it is practically impossible to discover the hacker's IP because scanning is carried out by the dumb host. From the standpoint of the host under attack, this scanning appears to be normal SYN scanning.
Assume that the dumb host is located within the DMZ and computer being attacked is located within the corporate network. Then, by sending to the dumb host a SYN packet on the part of the target computer, the hacker will be able to bypass a firewall; in this case, the firewall will think the internal host is trying to establish a connection to it. Note that connections of this type are allowed in 99.9% of all cases (if such connections are not allowed, users of the corporate network cannot work with their own public servers). All routers along the path from the hacker to the dumb host mustn't block the packet with a forged return address; otherwise , the packet will be discarded long before it reaches the destination.
The hping utility implements this type of the scanning scenario. This makes hping the main intruder's tool for penetrating networks protected by a firewall.
As a variant, the hacker can capture control over one of the hosts located within the DMZ and use it as a bridgehead for further attacks.