If UDP or TCP injection can be reliably blocked with a BPF and if the header values are static it’s possible to exfiltrate the values through a series of tests bisecting binary values for those headers in BPF1 filters. IPv4 has a 8-bit TTL2 and a 16-bit Fragment ID, IPv6 has a Hop Limit2 (modern pseudonym of TTL).
TTL exfiltration tricks are not needed for UDP as it has IP_RECVTTL
.
TBD: is IPv6 flow label a useful value? Any IPv6 EHs? What TCP packet bits are useful? Window size? Presence of ACK in RST? TCP Options?
TBD: is it possible to exfiltrate the presence of a RST packet ignored by the TCP stack?
1: unfortunately, eBPF that is so useful for metadata exfiltration is whitelisted only for the Android System, not for applications
2: TTL in an incoming packet is different from the hop distance gathered via a traceroute. Also, “static” TTL may vary a bit due to possible multi-path routes from injecting server.
- AS6697, Beltelecom, Belarus blocks tor injecting TCP RST
- Egypt had equipment injecting TCP RST with static IP Fragment IDs