[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [patch #10270] Idle-scan vulnerability fix
From: |
Samuel Martin |
Subject: |
[lwip-devel] [patch #10270] Idle-scan vulnerability fix |
Date: |
Wed, 3 Aug 2022 09:13:41 -0400 (EDT) |
URL:
<https://savannah.nongnu.org/patch/?10270>
Summary: Idle-scan vulnerability fix
Project: lwIP - A Lightweight TCP/IP stack
Submitter: smartin
Submitted: Wed 03 Aug 2022 01:13:40 PM UTC
Category: TCP
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Wed 03 Aug 2022 01:13:40 PM UTC By: Samuel Martin <smartin>
= Overview =
This series aims at making impossible to leverage devices running LwIP network
stack as a zombie machine in idle-scan attack.
The implemented solution consists in forcing the IP ID field to 0 for small
TCP packets, instead of using the automatically incremented value.
= Tests =
== IP ID field set to 0 on TCP handshake messages ==
10.153.24.244 is the device running a LwIP stack
=== Without this fix ===
z$ sudo hping3 -S 10.153.24.244 -p 5001 -c 10
HPING 10.153.24.244 (wlp2s0 10.153.24.244): S set, 40 headers + 0 data bytes
len=44 ip=10.153.24.244 ttl=255 id=82 sport=5001 flags=SA seq=0 win=3000
rtt=111.9 ms
len=44 ip=10.153.24.244 ttl=255 id=83 sport=5001 flags=SA seq=1 win=3000
rtt=71.8 ms
len=44 ip=10.153.24.244 ttl=255 id=84 sport=5001 flags=SA seq=2 win=3000
rtt=55.8 ms
len=44 ip=10.153.24.244 ttl=255 id=85 sport=5001 flags=SA seq=3 win=3000
rtt=111.7 ms
len=44 ip=10.153.24.244 ttl=255 id=86 sport=5001 flags=SA seq=4 win=3000
rtt=71.3 ms
len=44 ip=10.153.24.244 ttl=255 id=88 sport=5001 flags=SA seq=5 win=3000
rtt=47.3 ms
len=44 ip=10.153.24.244 ttl=255 id=90 sport=5001 flags=SA seq=6 win=3000
rtt=79.1 ms
len=44 ip=10.153.24.244 ttl=255 id=91 sport=5001 flags=SA seq=7 win=3000
rtt=62.8 ms
len=44 ip=10.153.24.244 ttl=255 id=92 sport=5001 flags=SA seq=8 win=3000
rtt=110.6 ms
len=44 ip=10.153.24.244 ttl=255 id=95 sport=5001 flags=SA seq=9 win=3000
rtt=54.5 ms
--- 10.153.24.244 hping statistic ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 47.3/77.7/111.9 ms
z$ sudo hping3 -SA 10.153.24.244 -p 5001 -c 3
HPING 10.153.24.244 (wlp2s0 10.153.24.244): SA set, 40 headers + 0 data bytes
len=40 ip=10.153.24.244 ttl=255 id=101 sport=5001 flags=RA seq=0 win=47115
rtt=108.1 ms
len=40 ip=10.153.24.244 ttl=255 id=102 sport=5001 flags=RA seq=1 win=47115
rtt=51.9 ms
len=40 ip=10.153.24.244 ttl=255 id=105 sport=5001 flags=RA seq=2 win=47115
rtt=99.8 ms
--- 10.153.24.244 hping statistic ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 51.9/86.6/108.1 ms
=== With this fix ===
z$ sudo hping3 -S 10.153.24.244 -p 5001 -c 10
HPING 10.153.24.244 (wlp2s0 10.153.24.244): S set, 40 headers + 0 data bytes
len=44 ip=10.153.24.244 ttl=255 id=0 sport=5001 flags=SA seq=0 win=3000
rtt=108.0 ms
len=44 ip=10.153.24.244 ttl=255 id=0 sport=5001 flags=SA seq=1 win=3000
rtt=51.9 ms
len=44 ip=10.153.24.244 ttl=255 id=0 sport=5001 flags=SA seq=2 win=3000
rtt=111.8 ms
len=44 ip=10.153.24.244 ttl=255 id=0 sport=5001 flags=SA seq=3 win=3000
rtt=55.7 ms
len=44 ip=10.153.24.244 ttl=255 id=0 sport=5001 flags=SA seq=4 win=3000
rtt=59.6 ms
len=44 ip=10.153.24.244 ttl=255 id=0 sport=5001 flags=SA seq=5 win=3000
rtt=47.5 ms
len=44 ip=10.153.24.244 ttl=255 id=0 sport=5001 flags=SA seq=6 win=3000
rtt=63.5 ms
len=44 ip=10.153.24.244 ttl=255 id=0 sport=5001 flags=SA seq=7 win=3000
rtt=103.5 ms
len=44 ip=10.153.24.244 ttl=255 id=0 sport=5001 flags=SA seq=8 win=3000
rtt=67.3 ms
len=44 ip=10.153.24.244 ttl=255 id=0 sport=5001 flags=SA seq=9 win=3000
rtt=43.1 ms
--- 10.153.24.244 hping statistic ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 43.1/71.2/111.8 ms
z$ sudo hping3 -SA 10.153.24.244 -p 5001 -c 3
HPING 10.153.24.244 (wlp2s0 10.153.24.244): SA set, 40 headers + 0 data bytes
len=40 ip=10.153.24.244 ttl=255 id=0 sport=5001 flags=RA seq=0 win=47115
rtt=100.1 ms
len=40 ip=10.153.24.244 ttl=255 id=0 sport=5001 flags=RA seq=1 win=47115
rtt=47.9 ms
len=40 ip=10.153.24.244 ttl=255 id=0 sport=5001 flags=RA seq=2 win=47115
rtt=51.9 ms
--- 10.153.24.244 hping statistic ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 47.9/66.6/100.1 ms
== nmap idle-scan test ==
The test setup is:
* 10.153.25.204: attacker (device on which nmap commands are run)
* 10.153.24.42: target (device having a http server running and listening on
port 8080)
* 10.153.24.162: zombie (device running the LwIP stack)
The nmap idle-scan test is run on the following port on the target:
* 22: closed
* 80: closed
* 5001: closed
* 8080: open (http server)
z$ nmap -A -T4 10.153.24.42
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-02 14:14 CEST
Nmap scan report for 10.153.24.42
Host is up (0.060s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
[...]
8080/tcp open http SimpleHTTPServer 0.6 (Python 3.6.8)
[...]
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.59 seconds
=== Without this fix ===
z$ sudo nmap -Pn -sI 10.153.24.162:5001 -p 22,80,5001,8080 10.153.24.42
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-02 14:22 CEST
Idle scan using zombie 10.153.24.162 (10.153.24.162:5001); Class: Incremental
Nmap scan report for 10.153.24.42
Host is up (0.17s latency).
PORT STATE SERVICE
22/tcp closed|filtered ssh
80/tcp closed|filtered http
5001/tcp closed|filtered commplex-link
8080/tcp open http-proxy
MAC Address: AC:2B:6E:F1:5C:6B (Intel Corporate)
Nmap done: 1 IP address (1 host up) scanned in 5.01 seconds
=== With this fix ===
z$ sudo nmap -Pn -sI 10.153.24.162:5001 -p 22,80,5001,8080 10.153.24.42
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-02 14:26 CEST
Idle scan zombie 10.153.24.162 (10.153.24.162) port 5001 cannot be used
because it has not returned any of our probes --
perhaps it is down or firewalled.
QUITTING!
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Wed 03 Aug 2022 01:13:40 PM UTC Name:
0001-ip4-Add-IP_MIN_FRAG_LENGTH-definition.patch Size: 1KiB By: smartin
<http://savannah.nongnu.org/patch/download.php?file_id=53499>
-------------------------------------------------------
Date: Wed 03 Aug 2022 01:13:40 PM UTC Name:
0002-ip4-Add-IP4_MIN_MTU_LENGTH-definition.patch Size: 857B By: smartin
<http://savannah.nongnu.org/patch/download.php?file_id=53500>
-------------------------------------------------------
Date: Wed 03 Aug 2022 01:13:40 PM UTC Name:
0003-ip4-tcp-send-zero-IP_ID-for-small-packets.patch Size: 2KiB By: smartin
<http://savannah.nongnu.org/patch/download.php?file_id=53501>
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/patch/?10270>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lwip-devel] [patch #10270] Idle-scan vulnerability fix,
Samuel Martin <=