an unprivileged Linux process using a BPF filter to block RST packets.
rstlss is an example of an unprivileged Linux process using a BPF filter to block certain TCP packets coming to the socket.
This specific example shows how to circumvent one-sided TCP reset attack by an on-path DPI box blocking
https://rutracker.org (as Inappropriate TCP Resets Considered Harmful). :-)
On-path DPI box is assumed to be passive, being unable to drop packets, just being able to inject some.
One-sided TCP reset attack means that RST packet is injected only towards the "client" endpoints and the "server" does not get another RST. E.g. some networks in Uganda block OpenVPN/TCP with two-sided TCP reset attacks. One has to control the server as well to mitigate two-sided attack.
Example
Following tests were done on 2019-04-19 from AS8997, OJSC Rostelecom. The vantage point observes blocking of HTTPS websites by means of SNI-based detection and one-sided RST injection to block connections.
Desktop Linux
It just runs and just works:
$ go build .
$ ./rstlss
panic: Get https://rutracker.org/robots.txt: read tcp 192.168.100.223:34176->195.82.146.214:443: read: connection reset by peer
goroutine 1 [running]:
main.main()
/home/darkk/go/src/github.com/darkk/rstlss/main.go:72 +0x69a
$ RSTLSS=1 ./rstlss | grep -C 3 rutracker
Allow: /forum/viewforum.php?f=
Allow: /forum/viewtopic.php
Disallow: /
Host: rutracker.org
User-agent: Adsbot-Google
User-agent: Googlebot-Image
$
Android
The binary is run with awesome Termux after cross-compiling the binary at the desktop:
$ CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build .
Android PoC needs DNS server specified manually due to golang/go#8877 and
net.dns1 hidden since Android 8.0. One can get DNS server from Network Details:$ RSTLSS_DNS=192.168.100.1:53 ./rstlss
panic: Get https://rutracker.org/robots.txt: read tcp 192.168.100.136:39882->195.82.146.214:443: read: connection reset by peer
goroutine 1 [running]:
main.main()
/home/darkk/go/src/github.com/darkk/rstlss/main.go:72 +0x544
$ RSTLSS_DNS=192.168.100.1:53 RSTLSS=1 ./rstlss | grep -C 3 rutracker
Allow: /forum/viewforum.php?f=
Allow: /forum/viewtopic.php
Disallow: /
Host: rutracker.org
User-agent: Adsbot-Google
User-agent: Googlebot-Image
$
Outro
This technique does not protect from malicious data being injected and effectively terminating the connection (e.g. HTTP redirect, TLS Alert or random garbage for authenticated TLS connection). Doing MAC within 4096 opcodes limit of a BPF program (~11 opcodes per dword) is left as an exercise for the reader.
from https://github.com/darkk/rstlss
----
----
an unprivileged Linux/Android process using a BPF filter to block RST packets
Small example of using BPF to block TCP RST by darkk. Works on Android, does not require root.
rstlss is an example of an unprivileged Linux process using a BPF filter to block certain TCP packets coming to the socket.
This specific example shows how to circumvent one-sided TCP reset attack by an on-path DPI box blocking 1
https://rutracker.org (as Inappropriate TCP Resets Considered Harmful ).
On-path DPI box is assumed to be passive , being unable to drop packets, just being able to inject some.
One-sided TCP reset attack means that RST packet is injected only towards the “client” endpoints and the “server” does not get another RST. E.g. some networks in Uganda block OpenVPN/TCP 1 with two-sided TCP reset attacks. One has to control the server as well to mitigate two-sided attack.
No comments:
Post a Comment