You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are iptables rules that permits tools like tcptraceroute to work, by allowing incoming packets with a TTL (or hop limit) of 1 or lower. This rule only looks at TTL, which the source can control and set to a value which will be decremented to 1 by intermediate routers by the time it reaches the control plane filters. This makes it trivial for an attacker to bypass all filters.
iptables -A INPUT -m ttl --ttl-lt 2 -j ACCEPT ip6tables -A INPUT -p tcp -m hl --hl-lt 2 -j ACCEPT
$ nc 172.18.0.154 22 -M 1 -v
nc: connect to 172.18.0.154 port 22 (tcp) failed: No route to host
$ nc 172.18.0.154 22 -M 2 -v
Connection to 172.18.0.154 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
^C
$ nc 172.18.0.154 22 -M 3 -v
^C
Describe the results you expected:
No connection, regardless of TTL. In my opinion there shouldn't be any special rule for TCP traceroute. If someone is not permitted to connect to a specific port, then that someone shouldn't receive any reply at all with a TCP traceroute to that port. Legit troubleshooters will match the "permit SSH" rule when doing a TCP traceroute to port 22, for example.
Question: This rule is currently after all the IP2ME drop rules, so how is this impacting?
Correct, this is in the best case less severe than e.g. #9916. But it's still troublesome.
For scenarios without any custom control plane ACLs installed this rule does nothing, so there is no issue.
However the final DROP that is enabled when you install custom control plane ACLs are after this ACCEPT - so essentially this allows any explicitly undefined traffic to be accepted.
Put in another way, for an attacker it is if the final DROP wasn't there.
This fact also of course compounds with the IP2ME logic producing an ineffective result (for uninitiated readers; see #9826) for a lot of configurations resulting in that it is quite easy to generate traffic that is not blocked by any previous rule and then finally be accepted by this TTL one.
Description
There are iptables rules that permits tools like tcptraceroute to work, by allowing incoming packets with a TTL (or hop limit) of 1 or lower. This rule only looks at TTL, which the source can control and set to a value which will be decremented to 1 by intermediate routers by the time it reaches the control plane filters. This makes it trivial for an attacker to bypass all filters.
iptables -A INPUT -m ttl --ttl-lt 2 -j ACCEPT
ip6tables -A INPUT -p tcp -m hl --hl-lt 2 -j ACCEPT
Steps to reproduce the issue:
Describe the results you received:
Packets with TTL = 1 are permitted:
Works with one router hop as well:
Describe the results you expected:
No connection, regardless of TTL. In my opinion there shouldn't be any special rule for TCP traceroute. If someone is not permitted to connect to a specific port, then that someone shouldn't receive any reply at all with a TCP traceroute to that port. Legit troubleshooters will match the "permit SSH" rule when doing a TCP traceroute to port 22, for example.
Output of
show version
:Additional information you deem important (e.g. issue happens only occasionally):
Control plane ACL used:
The text was updated successfully, but these errors were encountered: