Regarding "Inferring and hijacking VPN-tunneled TCP connections"
Lonnie Abelbeck
lists at lonnie.abelbeck.com
Sat Dec 7 21:51:40 CET 2019
> On Dec 6, 2019, at 9:18 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
> Hi Vasili,
>
> On Thu, Dec 5, 2019 at 10:28 PM Vasili Pupkin <diggest at gmail.com> wrote:
>> I've just figured out that the same effect can also be achieved with
>> iptables:
>> iptables -t filter -I INPUT -m addrtype --limit-iface-in ! --dst-type
>> LOCAL -j DROP
>
> Neat trick, but it still requires this to run on all incoming packets
> from all interfaces, right? In other words, it enables a strong host
> model for the whole system instead of just with regards to addresses
> "owned" by the WireGuard interface. Adding support for the latter
> would get us back to the original rule we're using right now, right?
For what its worth, if some sort of basic firewall with conntrack is enabled, Step 1 of the attack is blocked with a "ctstate INVALID" rule.
Per testing in the lab, using attack "nping --tcp --flags SA ..."
For Example, VALID_CHK in the (external facing) INPUT and FORWARD chains:
--
-A VALID_CHK -m conntrack --ctstate INVALID -j DROP
--
for both iptables and ip6tables filter tables.
Is it common some sort of basic firewall with conntrack is not enabled ?
Lonnie
More information about the WireGuard
mailing list