Is it common for routers to create a new mapping for TCP packets that is NOT SYN (in figure 3 in this article)? Is there a legit use case for this behavior? Wouldn't it be simpler and more secure not to do that?
B̶o̶t̶h̶ (update: Only Libp2p works with TCP) use similar method for hold-punching. Libp2p can use such method for establishing direct connection between hosts behind different NAT networks.
Maybe i am missing something but while it is interesting, I dont think it has any real security impact.
Since the threat model is that the attacker and the victim are connected to the same router via the same wifi network, not isolated from each other, in a case where you are using wifi in psk for example, the attacker can already sniff everything from other clients.
Therefore, you can spoof packets by just responding to them directly. It is a lot simpler and takes a lot less time (since you just need to respond faster than the server with the right seq and port numbers).
Once you are in the same network you can do even crazier stuff like arp spoofing and then let the victim think that you are the router and convince it to send all of its packets to you (https://en.m.wikipedia.org/wiki/ARP_spoofing)
Edit: on a second thought, maybe in a use case where the victim and the attacker are in different wifi networks (or just configured to be isolated ), the attacker should be able to perform a denial of service for a specific ip:port by sending RST and then ACK with every possible source port.
Also only works with non encrypted conns (ftp, http), that one should not be using.
And like you say on open or PSK networks you can do worst stuff (if isolation is not enable arp spoofing the default G will be way worst then this)
These are not theoretical concerns though. For example, since SSH uses a trust on first use model as opposed to a central trust/web of trust model, they can direct the victim to a different SSH server if they're connecting to a new one, and intercept all traffic.
(Edit: Even with HTTPS, there are other ways to MITM a connection because each trusted CA is considered an equal. For example, instead of doing a full-on MITM on a service which is likely to be detected[1], a better solution may be to obtain a certificate and target the specific user.)
Well, of the three mitigations suggested in the article:
1 - Random NAT port allocation
Seems like the answer is "not by default." According to iptables(8), SNAT defaults to using the pre-translated ports whenever possible, so it's up to the connecting client (victim's TCP stack) to randomly select source ports. There is a "--to-ports" option that lets you limit the usable source ports, but it's not mentioned how the ports are selected in that case.
2 - Reverse Path Validation
I'm not really sure how this helps in the described situation. If the attacker and the victim are on the same wifi access point, then both of their traffic will be sourced from the same network interface, so even strict RFC 3704 validation will pass for spoofed packets from the attacker. But for completeness, you can turn that on by setting a sysctl (rp_filter = 1).
3 - TCP window checking
I _believe_ that the vanilla linux kernel does check this by default, as the mentioned adjustments to OpenWRT seem to be removing a non-standard option to disable the TCP window checking
In general there are usually rules that prevent cross-forwarding traffic, and thus traffic over wifi is isolated from each client (unless you need to share a home NAS/printer this should remain enabled.)
Most if not all modern routers have this feature, and also the ability to turn off the dumpster-fire that is UPnP and flaky port-trigger mods. Additionally, some add packet marking rules, which is often also used to enforce fair bandwidth sharing. Yet note this can be a nonstandard controversial gray-area.
One could also use a private cert based VPN + Kerberos with firewall client pre-set rules on any un-trusted/open access points.
I would have assumed linux conntrack to do more rigorous "tcp window checking" as an assumption, however the article also notes they received a positive response from OpenWRT who implemented a mitigation, so I am curious to see the details of that mitigation.
TCP sequence numbers are not a security mechanism, they are a data ordering mechanism. If you want security, use encryption like IPSec or TLS. This has been the state of things since TCP was invented in 1980. Someone new discovers it all the time.
They are effectively authentication cookies, but the cookies are too short, but at least they turn over frequently and you have to send a few gigabytes of data to guess one.
Almost every internet security mechanism relies on nobody guessing secret numbers, but normally they are sized appropriately.
[+] [-] egberts1|1 year ago|reply
Vulnerability is in Double-Hash Port Selection (DHPS, IETF RFC 6056)
Fixed in Linux 5.17.9 and above using a variant of DHPS.
Linux sysctl:
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
Also Firefox Only HTTPS must be enabled to prevent JavaScript from performing dwell on hidden unsecure HTTP DOM frame.
----
https://support.mozilla.org/mk/questions/1359401
https://arxiv.org/pdf/2209.12993
https://github.com/0xkol/rfc6056-device-tracker
https://www.rfc-editor.org/rfc/rfc6056.html
[+] [-] sambazi|1 year ago|reply
[+] [-] blahgeek|1 year ago|reply
[+] [-] ytch|1 year ago|reply
Libp2p: https://docs.libp2p.io/concepts/nat/hole-punching/
B̶o̶t̶h̶ (update: Only Libp2p works with TCP) use similar method for hold-punching. Libp2p can use such method for establishing direct connection between hosts behind different NAT networks.
[+] [-] Wheaties466|1 year ago|reply
its meant to speed up connections and allow for more throughput through a router.
[+] [-] patrakov|1 year ago|reply
[+] [-] damsalor|1 year ago|reply
[+] [-] reflexe|1 year ago|reply
Since the threat model is that the attacker and the victim are connected to the same router via the same wifi network, not isolated from each other, in a case where you are using wifi in psk for example, the attacker can already sniff everything from other clients.
Therefore, you can spoof packets by just responding to them directly. It is a lot simpler and takes a lot less time (since you just need to respond faster than the server with the right seq and port numbers). Once you are in the same network you can do even crazier stuff like arp spoofing and then let the victim think that you are the router and convince it to send all of its packets to you (https://en.m.wikipedia.org/wiki/ARP_spoofing)
Edit: on a second thought, maybe in a use case where the victim and the attacker are in different wifi networks (or just configured to be isolated ), the attacker should be able to perform a denial of service for a specific ip:port by sending RST and then ACK with every possible source port.
[+] [-] vass77|1 year ago|reply
[+] [-] theamk|1 year ago|reply
[+] [-] supriyo-biswas|1 year ago|reply
(Edit: Even with HTTPS, there are other ways to MITM a connection because each trusted CA is considered an equal. For example, instead of doing a full-on MITM on a service which is likely to be detected[1], a better solution may be to obtain a certificate and target the specific user.)
[1] http://notes.valdikss.org.ru/jabber.ru-mitm/
[+] [-] fullspectrumdev|1 year ago|reply
[+] [-] SebFender|1 year ago|reply
[+] [-] fulafel|1 year ago|reply
[+] [-] sambazi|1 year ago|reply
[+] [-] aidenn0|1 year ago|reply
[+] [-] zootboy|1 year ago|reply
1 - Random NAT port allocation
Seems like the answer is "not by default." According to iptables(8), SNAT defaults to using the pre-translated ports whenever possible, so it's up to the connecting client (victim's TCP stack) to randomly select source ports. There is a "--to-ports" option that lets you limit the usable source ports, but it's not mentioned how the ports are selected in that case.
2 - Reverse Path Validation
I'm not really sure how this helps in the described situation. If the attacker and the victim are on the same wifi access point, then both of their traffic will be sourced from the same network interface, so even strict RFC 3704 validation will pass for spoofed packets from the attacker. But for completeness, you can turn that on by setting a sysctl (rp_filter = 1).
3 - TCP window checking
I _believe_ that the vanilla linux kernel does check this by default, as the mentioned adjustments to OpenWRT seem to be removing a non-standard option to disable the TCP window checking
https://github.com/openwrt/openwrt/commit/75e78bcaab847557ce...
[+] [-] Joel_Mckay|1 year ago|reply
Most if not all modern routers have this feature, and also the ability to turn off the dumpster-fire that is UPnP and flaky port-trigger mods. Additionally, some add packet marking rules, which is often also used to enforce fair bandwidth sharing. Yet note this can be a nonstandard controversial gray-area.
One could also use a private cert based VPN + Kerberos with firewall client pre-set rules on any un-trusted/open access points.
YMMV, =3
[+] [-] lathiat|1 year ago|reply
[+] [-] hamilyon2|1 year ago|reply
[+] [-] suprjami|1 year ago|reply
[+] [-] immibis|1 year ago|reply
Almost every internet security mechanism relies on nobody guessing secret numbers, but normally they are sized appropriately.
[+] [-] goodpoint|1 year ago|reply
[+] [-] the8472|1 year ago|reply
[+] [-] suprjami|1 year ago|reply
[+] [-] binkHN|1 year ago|reply
[+] [-] hackernudes|1 year ago|reply
[+] [-] vzaliva|1 year ago|reply
[+] [-] bustling-noose|1 year ago|reply
[+] [-] johnklos|1 year ago|reply
[+] [-] Xocial|1 year ago|reply
[+] [-] Wheaties466|1 year ago|reply
[+] [-] MacrohardDoors|1 year ago|reply
[+] [-] khrbtxyz|1 year ago|reply
[+] [-] eru|1 year ago|reply