new results for the ptb pts
play

New Results for the PTB-PTS Attack on Tunneling Gateways Vincent - PowerPoint PPT Presentation

Jul 08, 2023 •379 likes •597 views

New Results for the PTB-PTS Attack on Tunneling Gateways Vincent Roca Ludovic Jacquin Saikou Fall Jean-Louis Roch GreHack15, Grenoble, November 20 th 2015 1 New Results for the PTB-PTS Attack on Tunneling Gateways Packet Too Big (PTB) or

  1. New Results for the PTB-PTS Attack on Tunneling Gateways Vincent Roca Ludovic Jacquin Saikou Fall Jean-Louis Roch GreHack’15, Grenoble, November 20 th 2015 1

  2. New Results for the PTB-PTS Attack on Tunneling Gateways Packet Too Big (PTB) or Packet Too Small (PTS)? The underlying idea 2

  3. New Results for the PTB-PTS Attack on Tunneling Gateways About packet sizes and tunnel  two gateways establish a tunnel to connect two remote LANs (or sites) packet size S host A gateway G encapsulates packets LAN tunnel packet size H+S Internet packet size S host B decapsulates packets gateway H LAN 3

  4. New Results for the PTB-PTS Attack on Tunneling Gateways About packet sizes and tunnel… (cont’)  each link has a Maximum Transmission Unit (MTU) o maximum allowed frame size on that link o e.g. 1500 bytes for Ethernet (i.e., 1460 b. or less at TCP level)  Path MTU (PMTU) is the min. MTU along the path  a packet larger than a link’s MTU is either o dropped and an error ICMP “Packet Too Big” (PTB) message containing the MTU is returned to sender, or o fragmented if feasible (iff. IPv4 with DF bit clear)  each link MUST guaranty a minimum MTU o IPv4 576 bytes o IPv6 1280 bytes o essentially here for performance reasons 4

  5. New Results for the PTB-PTS Attack on Tunneling Gateways The issue  what happens if G’s outgoing link is already at MTU 576 bytes (IPv4)?  then we need H+S ≤ 576, which implies that S ≤ 576 - H packet size S host A gateway G encapsulates packets packet size H+S outgoing link MTU=576 Internet 5

  6. New Results for the PTB-PTS Attack on Tunneling Gateways The issue – an experimental example  G tunneling A’s traffic using IPsec (Linux/ Debian) gateway host A G packet of size 836, DF=1 ICMP PTB, MTU=514 bytes* MTU=576 impossible, packet size 552**, DF=1 ICMP PTB, MTU=514 bytes* … impossible, packet size 552**, DF=1 … deadlock! * 514 bytes because of IPsec ESP header ** 552 is minimum PMTU value on Linux/Debian 6

  7. New Results for the PTB-PTS Attack on Tunneling Gateways And now the exploit! 7

  8. New Results for the PTB-PTS Attack on Tunneling Gateways Attacker model  “On path” attacker  Eavesdrop and inject traffic on the WAN  IPsec cryptographic ciphers deemed secure IPsec or IPIP host A gateway G Secure LAN Linux or Windows Unsecure WAN “on path” attacker (e.g. Internet) host B gateway H Secure LAN 8

  9. New Results for the PTB-PTS Attack on Tunneling Gateways Description of the exploit  Resetting gateway G’s PMTU  the attacker needs to be on the tunnel path o eavesdrops a tunneled packet o forges an ICMP PTB message • Including a copy of the eavesdropped packet to bypass IPsec security check w.r.t. ICMP error messages  the attacker can use a compromised router…  … or be a simple host attached to a non-encrypted WiFi o if a user uses a tunnel from a laptop (on gateway H) to a remote network, and is attached to a non-encrypted WiFi, then we can attack the remote tunnel gateway  a single “well formed” ICMP PTB packet is sufficient to launch the attack! 9

  10. New Results for the PTB-PTS Attack on Tunneling Gateways Detail of the exploit  Debian IPsec gateway  Ubuntu client, TCP traffic, IPv4 with PMTUD 0 (Any IPsec protected packet) 10

  11. New Results for the PTB-PTS Attack on Tunneling Gateways Another PMTU discovery to the rescue?  Packetization Layer Path MTU Discovery (PLPMTUD)  Developed to mitigate ICMP “black holes” o no dependency on ICMP any more  Relies on “probes” and “feedbacks” to adjust pack et sizes  compatible with TCP o TCP ACK are used as feedbacks  the TCP packet size can be reduced below the 576 minimum MTU (in IPv4) if needed o e.g., 256 bytes + headers 11

  12. New Results for the PTB-PTS Attack on Tunneling Gateways PLPMTUD only mitigates the exploit  Ubuntu client, TCP traffic, IPv4 with PLPMTUD 0 (Any IPsec protected packet) 12

  13. New Results for the PTB-PTS Attack on Tunneling Gateways Some additional tests  UDP traffic with PMTUD  IPv6  Windows 7, with default configuration  IPIP tunnel 13

  14. New Results for the PTB-PTS Attack on Tunneling Gateways Ubuntu client results TCP, IPv4, PMTUD DoS: no connection possible any more IPsec tunnel (TCP closes after 2 min.) TCP, IPv4, PLPMTUD Major performance impacts: IPsec tunnel 6.5s initial freeze, tiny packets (MSS = 256) UDP, IPv4, PMTUD Major performance impacts: IPsec tunnel tiny packets TCP, IPv6, PMTUD DoS: no connection possible any more IPsec tunnel (TCP closes after 2 min.) TCP, IPv6, PLPMTUD Major performance impacts: IPsec tunnel 3.3s initial freeze, small packets (MSS = 504) TCP, IPv4, PMTUD Major performance impacts: IPIP tunnel 7 min. initial freeze, tiny packets (MSS = 256) TCP, IPv4, PLPMTUD Major performance impacts: IPIP tunnel 6.7s initial freeze, small packets 14

  15. New Results for the PTB-PTS Attack on Tunneling Gateways Windows 7 client results TCP, IPv4 Major performance impacts: IPsec tunnel fragmented packets (548 and 120) TCP, IPv6 DoS: no connection possible any more IPsec tunnel (TCP closes after 21 sec.) TCP, IPv4 DoS: no connection possible any more IPIP tunnel (TCP closes after 35 sec.)  Really strange behavior in TCP/IPv4/IPsec tests  Windows reset the “Don’t Fragment” bit after the first error  It keeps increasing TCP segment size… up to ~64 kB!!!  The gateway needs to fragment into smaller packet which is highly inefficient  Similar results with Windows 10 15

  16. New Results for the PTB-PTS Attack on Tunneling Gateways Conclusions 16

  17. New Results for the PTB-PTS Attack on Tunneling Gateways A highly effective attack  A single packet is enough to launch the attack  Only needs to eavesdrop one packet of the tunnel  The gateway and client cannot agree  Once the attacker created confusion he can pull out  Works on all client OSes  Highly effective, no matter the client configuration, leading either to DoS or major performance impacts  There is no good solution to deal with it! 17

  18. New Results for the PTB-PTS Attack on Tunneling Gateways Two issues highlighted  Tunnels and small PMTU  The client rejects request to use an MTU smaller than the “minimum guaranteed” o The client does not know this is motivated by IPsec or IPIP tunneling at the gateway o … and in any case it infringes the minimum MTU  Legitimacy of untrusted ICMP PTB packets  IPsec sanity check is not fully reliable and is by-passed if the attacker is on the path 18

  19. New Results for the PTB-PTS Attack on Tunneling Gateways Some counter-measures  Trivial and unsatisfying  Ignore DF bit at a tunneling gateway o E.g., as suggested by CISCO IPsec configuration guide!  Ignore any ICMP PTB at the gateway and let clients use PLPMTUD o But PLPMTUD won’t work with UDP!  Two proposed counter-measures at a gateway  A gateway must not blindly accept an ICMP PTB advertising a tiny MTU o The gateway needs room to add tunneling headers  A gateway should assess untrusted ICMP PTB o Add a probing scheme between tunneling gateways, similarly to PLPMTUD, to check the Path MTU 19

  20. New Results for the PTB-PTS Attack on Tunneling Gateways Thank you 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

RESULTS Hotline! 1 The RESULTS Team Simon Buckingham

RESULTS Hotline! 1 The RESULTS Team Simon Buckingham

Write this Down! RESULTS Hotline! 1 The RESULTS Team Simon Buckingham RESULTS Coach 2 The RESULTS Team Brendan Kelly RESULTS Coach The RESULTS Team Tony Lambrianos RESULTS Coach 3 The RESULTS

1.74k views • 134 slides
full year results full year results full year results full full year results full year results full

full year results full year results full year results full full year results full year results full

AMP results presentation FULL YEAR RESULTS 2010 full year results full year results full year results full full year results full year results full year results full 2010 full year results Craig Dunn Chief Executive Officer Paul Leaming Chief

691 views • 24 slides
FY13 RESULTS PRESENTATION KATHMANDU Contents Results Overview Key Line Items

FY13 RESULTS PRESENTATION KATHMANDU Contents Results Overview Key Line Items

FY13 RESULTS PRESENTATION KATHMANDU Contents Results Overview Key Line Items Country Results Cash Flow, Balance Sheet, Dividend Growth Strategy Update FY14 Outlook Questions 2 Results Overview Results

529 views • 28 slides
FLUGHAFEN WIEN GROUP CONTENTS FY 2018 Results Financial results p.3 Segment results

FLUGHAFEN WIEN GROUP CONTENTS FY 2018 Results Financial results p.3 Segment results

FLUGHAFEN WIEN GROUP CONTENTS FY 2018 Results Financial results p.3 Segment results p.20 Traffic results p.31 Appendix Vienna Airport at a Glance p.44 The Share p.52 Terminal Development Project p.52 2

809 views • 60 slides
Results Presentation T H 1 4 A U G U S T 2 0 1 7 Agenda Financial Results

Results Presentation T H 1 4 A U G U S T 2 0 1 7 Agenda Financial Results

Results Presentation T H 1 4 A U G U S T 2 0 1 7 Agenda Financial Results Markets Outlook Andi Case Jeff Woyda CEO COO/CFO 14th August 2017 2017 Interim Results 2 Results summary June 2017 June 2016 Increase

538 views • 27 slides
Welcome to RESULTS! RESULTS is a movement of passionate, committed, everyday people. Together, we

Welcome to RESULTS! RESULTS is a movement of passionate, committed, everyday people. Together, we

Welcome to RESULTS! RESULTS is a movement of passionate, committed, everyday people. Together, we use our voices to influence political decisions that will bring an end to poverty. RESULTS New Advocate Orientation RESULTS: Who We Are & Why

588 views • 33 slides
Results presentation 01 Results overview 04 Datat sheets 03 Appendices 02 Results presentation

Results presentation 01 Results overview 04 Datat sheets 03 Appendices 02 Results presentation

for the six months ended 30 June 2020 Results presentation 01 Results overview 04 Datat sheets 03 Appendices 02 Results presentation Disclaimer 01 Results overview The information contained in this document (presentation) has not been

598 views • 37 slides
FY2019 RESULTS PRESENTATION 20 AUGUST 2019 CONTENTS 1 RESULTS OVERVIEW 2 FINANCIAL RESULTS 3

FY2019 RESULTS PRESENTATION 20 AUGUST 2019 CONTENTS 1 RESULTS OVERVIEW 2 FINANCIAL RESULTS 3

Beacon Lighting Group Limited FY2019 RESULTS PRESENTATION 20 AUGUST 2019 CONTENTS 1 RESULTS OVERVIEW 2 FINANCIAL RESULTS 3 CASH FLOW, BALANCE SHEET & DIVIDENDS 4 GROWTH STRATEGIES 5 FY2020 OUTLOOK 6 QUESTIONS 7 APPENDICES

661 views • 25 slides
H1FY2019 RESULTS PRESENTATION 19 FEBRUARY 2019 CONTENTS 1 RESULTS OVERVIEW 2 FINANCIAL

H1FY2019 RESULTS PRESENTATION 19 FEBRUARY 2019 CONTENTS 1 RESULTS OVERVIEW 2 FINANCIAL

Beacon Lighting Group Limited H1FY2019 RESULTS PRESENTATION 19 FEBRUARY 2019 CONTENTS 1 RESULTS OVERVIEW 2 FINANCIAL RESULTS 3 CASH FLOW, BALANCE SHEET & DIVIDENDS 4 GROWTH STRATEGIES 5 H2 FY2019 OUTLOOK 6 QUESTIONS RESULTS

959 views • 23 slides
Half-Year Results 19 February 2014 Results Highlights Tom Gorman, CEO Results Highlights Key

Half-Year Results 19 February 2014 Results Highlights Tom Gorman, CEO Results Highlights Key

Half-Year Results 19 February 2014 Results Highlights Tom Gorman, CEO Results Highlights Key messages Modest improvement in economic conditions in key markets supports strong sales and profit result Pallets: return on capital up on

647 views • 28 slides
Final Results March 2018 Contents About Kape Financial results Results highlights 4 Key

Final Results March 2018 Contents About Kape Financial results Results highlights 4 Key

Final Results March 2018 Contents About Kape Financial results Results highlights 4 Key performance indicators 15 Our business 6 Strategy and outlook 16 Products and expertise Appendix Market opportunity 7 Growing customer base 20

267 views • 24 slides
2012 Results and Strategy Review 2012 Results - Review Ken Hanna Chairman 3 2012 Results -

2012 Results and Strategy Review 2012 Results - Review Ken Hanna Chairman 3 2012 Results -

2012 Results and Strategy Review 2012 Results - Review Ken Hanna Chairman 3 2012 Results - Review Angus Cockburn Chief Financial Officer 4 2012 Results Pre-Exceptional 2011 2012 Movement m m As reported Underlying Revenue 1,583

442 views • 21 slides
INVESTOR PRESENTATION 9M 2019 RESULTS AGENDA 9M 2019 Results Our Vision: Commercial Results

INVESTOR PRESENTATION 9M 2019 RESULTS AGENDA 9M 2019 Results Our Vision: Commercial Results

INVESTOR PRESENTATION 9M 2019 RESULTS AGENDA 9M 2019 Results Our Vision: Commercial Results To Be the No.1 Private Strategy & Business update Bank unique by Value of Appendix: Financials Service, Innovation and Sustainability

945 views • 53 slides
Kathmandu - FY11 Results Presentation 1 Contents Results Overview Key Line Items

Kathmandu - FY11 Results Presentation 1 Contents Results Overview Key Line Items

Kathmandu - FY11 Results Presentation 1 Contents Results Overview Key Line Items Country Results Cash Flow, Balance Sheet, Dividend Growth Strategy Update FY12 Outlook Questions 2 Results Overview

738 views • 28 slides
FY14 Results March 10 th , 2015 FY 2014 Results - Highlights Results confirm and support the

FY14 Results March 10 th , 2015 FY 2014 Results - Highlights Results confirm and support the

FY14 Results March 10 th , 2015 FY 2014 Results - Highlights Results confirm and support the solidity of the growth, in line with long term and healthy growth project, based on exclusive distribution, product excellence, craftsmanship,

710 views • 24 slides
Results Presentation for the Fiscal Year Ended March 31, 2016 April 28, 2016 1. FY2015 Results

Results Presentation for the Fiscal Year Ended March 31, 2016 April 28, 2016 1. FY2015 Results

Results Presentation for the Fiscal Year Ended March 31, 2016 April 28, 2016 1. FY2015 Results Highlights Key Financial Data, Segment Results Operational Performance 2. FY2016 Results Prospects, etc. FY2015 Results Summary U.S. GAAP

856 views • 40 slides
Outline basic ideas ICMP header format message types ICMP related command (ping

Outline basic ideas ICMP header format message types ICMP related command (ping

1 /20 ICMP: Internet Control Message Protocol Surasak Sanguanpong nguan@ku.ac.th http://www.cpe.ku.ac.th/~nguan Last updated: Aug 8, 2002 Applied Network Research Group Department of Computer Engineering,

981 views • 9 slides
Building LLVM-IR Johannes Doerfert and Christoph Mallon Saarbr ucken Graduate School of

Building LLVM-IR Johannes Doerfert and Christoph Mallon Saarbr ucken Graduate School of

Building LLVM-IR Johannes Doerfert and Christoph Mallon Saarbr ucken Graduate School of Computer Science Saarland University Saarbr ucken, Germany December 18, 2013 C4 2 / 14 C4 Frontend Lexer Parser C-Code Token Stream AST 2 /

907 views • 43 slides
Reactions and Responses 1 IP Spoofing Stimuli Why would an attacker spoof his source

Reactions and Responses 1 IP Spoofing Stimuli Why would an attacker spoof his source

Reactions and Responses 1 IP Spoofing Stimuli Why would an attacker spoof his source address? Hide the attackers activity nmap decoy option Hide the attackers identity To be able to view the responses, the attacker

548 views • 17 slides
Network Security: Scan Seungwon Shin, KAIST some slides from Dr. Brett Tjaden More about Scan

Network Security: Scan Seungwon Shin, KAIST some slides from Dr. Brett Tjaden More about Scan

Network Security: Scan Seungwon Shin, KAIST some slides from Dr. Brett Tjaden More about Scan Scan Techniques Network scanning where is a target? which service is available on a target? can I have more information? Vulnerability scanning

675 views • 30 slides
Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat

Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat

Linux Firewalls with iptables Concepts Examples Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 14 October 2013 Common/Reports/iptables-introduction.tex, r715

469 views • 14 slides
Techniques for better alias resolution in Internet topology discovery Santiago Garcia Jimenez

Techniques for better alias resolution in Internet topology discovery Santiago Garcia Jimenez

Techniques for better alias resolution in Internet topology discovery Santiago Garcia Jimenez Eduardo Magaa lizarrondo Daniel Morato Oses Mikel Izal Azkarate Index Introduction Existing techniques for alias resolution New techniques for

848 views • 41 slides
Designing accessible latency metrics Toke Hiland-Jrgensen 25th September 2013 1 / 6

Designing accessible latency metrics Toke Hiland-Jrgensen 25th September 2013 1 / 6

Designing accessible latency metrics Toke Hiland-Jrgensen 25th September 2013 1 / 6 Quantifying latency Bufferbloat is (getting) accepted in technical circles But mostly unknown to end-users Can be explained with some care

350 views • 6 slides
OFFICE HOURS ESG-CV Reporting Prepared: 9-29-2020 Call in If you are having audio difficulty

OFFICE HOURS ESG-CV Reporting Prepared: 9-29-2020 Call in If you are having audio difficulty

OFFICE HOURS ESG-CV Reporting Prepared: 9-29-2020 Call in If you are having audio difficulty using your computer, please call in using one of the following phone numbers: US Toll free +1-855-797-9485 US Toll +1-415-655-0002 Access code:

591 views • 14 slides

More recommend