Hijacking VPN-tunneled TCP connections

teckk · 2019-12-07 15:13:36

Interesting, has this been talked about already? Someone posted about it on LQ.
https://seclists.org/oss-sec/2019/q4/122

xerxes_ · 2019-12-07 22:39:03

It looks like Arch Linux is also vulnerable to this attack, so if someone is using VPN and care about this, can override settings in file /usr/lib/sysctl.d/50-default.conf with file created in /etc/sysctl.d/90-override.conf with, for example settings:

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.enp10s.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.other_network_interface.rp_filter = 1

and restart service/reboot machine.
Test by:

sysctl -a 2>/dev/null | grep "\.rp_filter"

See https://access.redhat.com/solutions/53031

nl6720 · 2019-12-08 08:03:03

xerxes_ wrote:

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.enp10s.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.other_network_interface.rp_filter = 1

If you want the value to be 1 for all interfaces, then just set net.ipv4.conf.all.rp_filter. Or alternatively net.ipv4.conf.default.rp_filter and reboot. The biggest value between net.ipv4.conf.interface and net.ipv4.conf.all wins, read https://www.kernel.org/doc/Documentatio … sysctl.txt . I wanted to write "strongest value" not "biggest value", but rereading the docs, it says "max value", so I'm not that certain anymore.

xerxes_ wrote:

sysctl -a 2>/dev/null | grep "\.rp_filter"

sysctl(8) supports regex pattern matching:

sysctl -ar '\.rp_filter'

If I understand correctly, net.ipv4.conf.*.rp_filter only affects IPv4, for IPv6 you need firewall rules.
It looks like the nft(8) man page has examples for rpfilter and strong host model. Though I'm not sure what should be their exact placement. And they're also bound to break something.

Last edited by nl6720 (2019-12-08 08:14:33)

loqs · 2019-12-09 22:00:50

@nl6720 I read

The max value from conf/{all,interface}/rp_filter is used
	when doing source validation on the {interface}.

To mean the max of net net.ipv4.conf.all.rp_filter and net.ipv4.conf.interface.rp_filter will be used.
So loose overrides strict overrides none.
However if

net.ipv4.conf.all.rp_filter = 1

is set before any interfaces are created then that value will also be used as the per interface value,
which is why /usr/lib/sysctl.d/50-default.conf only needs to set one value.
Edit:
Wireguard discussion referencing the same nft FIB filtering https://lore.kernel.org/wireguard/860fe … gmail.com/

Last edited by loqs (2019-12-09 22:17:45)

Arch Linux

#1 2019-12-07 15:13:36

Hijacking VPN-tunneled TCP connections

#2 2019-12-07 22:39:03

Re: Hijacking VPN-tunneled TCP connections

#3 2019-12-08 08:03:03

Re: Hijacking VPN-tunneled TCP connections

#4 2019-12-09 22:00:50

Re: Hijacking VPN-tunneled TCP connections

Board footer