1 Feb
2016
1 Feb
'16
10:11 p.m.
All,
I've noticed that if someone performs a traceroute to a 44net address
routed via an IPIP tunnel on OpenWRT versions 14 or 15 (tested) results
in the router giving the Public, Commercial IP address of the device
instead of a 44net IP on tunl0, or any assigned forwarded interface.
Without intricate detail, this is by design of the Operating System, as
the kernel re-packets an ICMP TTL Exceeded, and seems not to connect
that new pack as RELATED to the Received Packet in which the TTL had
Exceeded. This is fine when all local IPs are Private IPs, or should be
forwarded via the Kernel's Gateway; but as they are not, and the only
gateway the kernel knows is the physical WAN. The ICMP TTL Exceeded
Packet is given the Kernel's source address (with Gateway), and sent
hence - a leaked TTL Exceeded packet.
Reason: the least computationally difficult method to protect our
gateways from rogue packets is to not publicize/announce our Public
WAN-facing IP address.
In order to prevent this, a RAW Packet Filter rule for all packets
received via tunl0 < 2 can be created, preventing processing of TTL
exceeded packets for non-44net IPs:
iptables -t raw -I PREROUTING -i tunl0 -m ttl --ttl-lt 2 -j DROP
iptables -t raw -I PREROUTING -s 44.0.0.0/8 -d 44.xxx.xxx.xxx/xx -i
tunl0 -m ttl --ttl-lt 2 -j ACCEPT
Those using OpenWRT, please test and confirm issue and its fix.
73,
-Lynwood
KB3VWG
2 Feb
2 Feb
7:22 p.m.
Rob and Marius,
When considering:
- I did realize other spoofed packets may enter and route. I've been
researching that as well, and have thus far only filtered against
someone spoofing an IP in my subnet ONLY
- I considered that other 44 operators know our Public IP (Rob noted
this), I did not consider them as a part of the assessment, as we MUST
know one another's Public IPs to properly route traffic
- We do not publicize our IPs; but considering it's possible, Marius'
solution is the only reasonable answer for all cases (i.e. to only
accept IPENCAP on the real WAN). Although, afterwhich an operator can
only use 44 addresses routed to the PHY with that Public IP address
- While only accepting 44net traffic on the tunnel could prevent
spoofing to Public addresses, it only prevents spoofing to one another
by trust, and others through the same Security by Obscurity of not
publicizing the Public IP addresses
- Lynwood
KB3VWG
3 Feb
3 Feb
12:41 a.m.
I spent some time with this 44 spoofing issues and reached some
conclusions...
First of all, spoofing a 44 address while being outside the 44 tunnel
system and using one of its addresses is actually not possible. Beacuse
even if the 44 destination in a subnet can be reached via whatever means,
the replies will either go directly to the proper tunnel, which hosts will
ignore them since it did not originate that traffic, or will go through
the local gateway and through amprgw, which drops 44 to 44 traffic (which
is good). So a no go here.
Second, let's say the attacker implements a direct IPIP tunnel spoofing.
Since its routes are not in encap/rip, there will be no return route other
than the default route or the original proper tunnel. While the default
route will usually NAT to the public IP, the original src address is lost
and the communication will be probably compromised and the now orphan
replies sent to the non-spoofed originator by amprgw. Again no go here.
Going up one level, let't assume that the attacker could hijack a 44
subnet by injecting some fake BGP route into the global table. In this
case, it will affect only the bgp-announce subnets or undefined network
ranges, since the others are protected by the internal routings of the
full mesh.
So I don't think that spoofing is an efficient attack path in our case,
allthough, by tracking the gateway traffic, it seems that there are either
a lot of tentatives outside, or that some persons use our 44 address space
as private space, and there is some traffic leak in their configuration.
Marius, YO2LOJ
9:28 a.m.
Rob,
This worked, I will add it to the Wiki.
You can change the behavior in this case:
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr
- Lynwood
KB3VWG
3:01 a.m.
On 02.02.2016 04:11, lleachii--- via 44Net wrote:
I've noticed that if someone performs a traceroute
to a 44net address
routed via an IPIP tunnel on OpenWRT versions 14 or 15 (tested) results
in the router giving the Public, Commercial IP address of the device
instead of a 44net IP on tunl0, or any assigned forwarded interface.
You can change the behavior in this case:
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr
73,
Jann
DG8NGN
--
Jann Traschewski, Faber-Castell-Str. 9, D-90522 Oberasbach, Germany
Tel.: +49-911-99946898, Mobile: +49-170-1045937, E-Mail: jann(a)gmx.de
Ham: DG8NGN / DB0VOX, http://www.qsl.net/dg8ngn
3023
days inactive
3024
days old
4 comments
3 participants
participants (3)
-
Jann Traschewski -
lleachii@aol.com -
marius@yo2loj.ro